How to renew expired Icinga2 repository key

Written by - 0 comments

Published on - Listed in Icinga Monitoring Linux


As announced by the Icinga team in August 2024, the key, which is used to sign the icinga2 packages, has expired.

The apt command on Debian, Ubuntu and other distributions using APT as package manager, will show an error like this:

root@debian:~# apt-get update
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [27.2 kB]
Hit:2 http://deb.debian.org/debian bullseye InRelease                                         
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 https://packages.icinga.com/debian icinga-bullseye InRelease [12.4 kB]         
Get:5 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [307 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main Translation-en [198 kB]
Err:4 https://packages.icinga.com/debian icinga-bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CC116F55AA7F2382

Fetched 588 kB in 1s (1027 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.icinga.com/debian icinga-bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CC116F55AA7F2382
W: Failed to fetch https://packages.icinga.com/debian/dists/icinga-bullseye/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CC116F55AA7F2382
W: Some index files failed to download. They have been ignored, or old ones used instead.

To download and install the newer key, first identify which key is currently used:

root@debian:~# cat /etc/apt/sources.list.d/icinga.list
deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-bullseye main

In this situation, the additional apt repository is already using the newer signed-by method, where the relevant key path for this repository is defined. In this case we can download and overwrite the old key:

root@debian:~# curl -fsSL https://packages.icinga.com/icinga.key | sudo gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
File '/usr/share/keyrings/icinga-archive-keyring.gpg' exists. Overwrite? (y/N) y

In case you are still using the older and meanwhile deprecated APT repository key method (using apt-key), you can use the following command:

root@debian:~# curl -s https://packages.icinga.com/icinga.key | apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

As the output shows the deprecation warning, you should move to the newer signed-by method shown above.

Now that the new key was imported to APT, apt-get update works without an error again:

root@debian:~# apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://security.debian.org/debian-security bullseye-security InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease       
Get:4 https://packages.icinga.com/debian icinga-bullseye InRelease [12.4 kB]
Get:5 https://packages.icinga.com/debian icinga-bullseye/main amd64 Packages [80.5 kB]
Fetched 92.9 kB in 1s (185 kB/s)   
Reading package lists... Done


More recent articles:

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder