Error in Kali Linux ‘The following signatures were invalid’ (SOLVED)

How to solve ‘An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error’ in Kali Linux 

If you use the apt command, for example, to update package information, or if you install a new package, you can face with an error:

apt update
Get:1 http://mirrors.dotsrc.org/kali kali-rolling InRelease [30.5 kB]
Err:1 http://mirrors.dotsrc.org/kali kali-rolling InRelease
  The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <devel@kali.org>
Reading package lists… Done
Building dependency tree       
Reading state information… Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://mirrors.dotsrc.org/kali kali-rolling InRelease: The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <devel@kali.org>
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease&nbsp; The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <devel@kali.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

If this problem occurs, then to solve it, run the following commands:

wget 'https://archive.kali.org/archive-key.asc'
apt-key add archive-key.asc

Reason and description of the problem

All packages that are installed into the system from official repositories have a cryptographic signature that ensures that the package was created by the official Kali Linux maintainer and that thereafter no changes were made to it.

To verify the packets, each user must have a public key. In case of changing keys for signing packages, it is also necessary to change the public key in user systems. Supporters of the Kali Linux distribution know in advance when keys need to be updated, so even before changing keys, a new public key is added to the user's systems during the next update. Therefore, for users, changing keys, usually, runs smoothly and unnoticed.

Nevertheless, there are possible situations when the system has not been updated for a long time (i.e., it does not ‘know’ about the changed keys), and new packages in the official repositories have already been signed with a new key. In this situation, the above error occurs.

By the two commands that are given to solve the problem, we download the public key from the official Kali Linux website and add it to the system as a trusted one.

Then there's even more theory about packet authentication.

Validating Package Authenticity

Source: https://kali.training/topic/advanced-apt-configuration-and-usage/

System upgrades are very sensitive operations and you really want to ensure that you only install official packages from the Kali repositories. If the Kali mirror you are using has been compromised, a computer cracker could try to add malicious code to an otherwise legitimate package. Such a package, if installed, could do anything the cracker designed it to do including disclose passwords or confidential information. To circumvent this risk, Kali provides a tamper-proof seal to guarantee — at install time — that a package really comes from its official maintainer and hasn’t been modified by a third party.

The seal works with a chain of cryptographic hashes and a signature. The signed file is the Release file, provided by the Kali mirrors. It contains a list of the Packages files (including their compressed forms, Packages.gz and Packages.xz, and the incremental versions), along with their MD5, SHA1, and SHA256 hashes, which ensures that the files haven’t been tampered with. These Packages files contain a list of the Debian packages available on the mirror along with their hashes, which ensures in turn that the contents of the packages themselves haven’t been altered either.

The trusted keys are managed with the apt-key command found in the apt package. This program maintains a keyring of GnuPG public keys, which are used to verify signatures in the Release.gpg files available on the mirrors. It can be used to add new keys manually (when non-official mirrors are needed). Generally however, only the official Kali keys are needed. These keys are automatically kept up-to-date by the kali-archive-keyring package (which puts the corresponding keyrings in /etc/apt/trusted.gpg.d). However, the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:

apt-key fingerprint

Also recommended:

3 Comments to Error in Kali Linux ‘The following signatures were invalid’ (SOLVED)

  1. JR says:

    Thank you very much.

    is working well, now

    JR

  2. Anonymous says:

    Thank you very much)

  3. Manuel says:

    It works..

    Thks..

Leave a Reply

Your email address will not be published.