Bug #106492 he following signatures were invalid: EXPKEYSIG 8C718D3B5072E1F5
Submitted: 17 Feb 14:37 Modified: 16 Mar 15:04
Reporter: Alex Skoropad Email Updates:
Status: Won't fix Impact on me:
Category:MySQL Server: Installing Severity:S3 (Non-critical)
Version:5.7 OS:Debian (stretch)
Assigned to: CPU Architecture:Any

[17 Feb 14:37] Alex Skoropad
I'm tring to update mysql on debian stretch and can't add key. Looks like apt-key works:

sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5072E1F5
Executing: /tmp/apt-key-gpghome.AjhVhSMGEt/gpg.1.sh --keyserver pgp.mit.edu --recv-keys 5072E1F5
gpg: key 8C718D3B5072E1F5: 3 duplicate signatures removed
gpg: key 8C718D3B5072E1F5: 106 signatures not checked due to missing keys
gpg: key 8C718D3B5072E1F5: "MySQL Release Engineering <mysql-build@oss.oracle.com>" 2 new signatures
gpg: Total number processed: 1
gpg:         new signatures: 2

But sudo apt update fails with:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.mysql.com/apt/debian stretch InRelease: The following signatures were invalid: EXPKEYSIG 8C718D3B5072E1F5 MySQL Release Engineering <mysql-build@oss.oracle.com>
W: Failed to fetch http://repo.mysql.com/apt/debian/dists/stretch/InRelease  The following signatures were invalid: EXPKEYSIG 8C718D3B5072E1F5 MySQL Release Engineering <mysql-build@oss.oracle.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Stretch repo wasn't updated since May 2021 (even jessie which is older was updated this year :))

How to repeat:
Try to update repo on debian stretch

Suggested fix:
Sign this repo with actual key
[18 Feb 8:07] Lars Tangvald

As Debian 9 is eol, it is no longer supported by MySQL, and the repo is no longer being updated. The MySQL repo signing key was replaced, because the old one (5072E1F5) is no longer considered to have secure encryption.

The jessie repo directories having updated timestamps is odd, but not it's only the directories. The repo files themselves are not updated, and no jessie files are being uploaded.
[18 Feb 8:19] Alex Skoropad
So now not posible t install even previous versions of mysql packages on stretch?
[18 Feb 12:38] Lars Tangvald
Rather than using repo.mysql.com for unsupported platforms, you could download package bundles from https://downloads.mysql.com/archives/community/ (5.7.34 and 8.0.25 would be the newest server versions available for Stretch, I believe).
[21 Feb 9:04] Alex Skoropad
Ok, thanks, it's less convenient than repo in case of automatization but usable
[21 Feb 9:05] Alex Skoropad
May be you can provide current MySQL repo signing key ID?
[23 Feb 23:53] Lee Marshall
Debian 8 MySQL support ended when Debian 8 LTS ended.
It appears MySQL changed its policy and ended Debian 9 support a year early.

We're certainly miffed about the change in policy and about not having received timely notice of it!

What's the best approach to getting automatically hit upside the head if we miss another end of support?  Learning it this way comes a little late!
[16 Mar 15:02] Lars Tangvald
Simplest way to get the key is to download with gpg
You can use apt-key adv --keyserver pgp.mit.edu --recv-keys 3A79BD29 (https://dev.mysql.com/doc/mysql-apt-repo-quick-guide/en/#repo-qg-apt-repo-manual-setup)

We have a list of platform EOL notices at https://www.mysql.com/support/eol-notice.html
[22 Nov 21:08] Ricardo Ravazzolo
It works for me in Debian Jessie with Expired Keys.

1 - Download package bundles from https://downloads.mysql.com/archives/community

2 - Create a Local Apt Repository with dpkg-scanpackages tool and MySQL packages downloaded

3 - Update MySQL from 5.7.16 to 5.7.30 (to use OpenSSL TLSv1.2) 

apt-get update
apt-get install mysql-server

Thanks for all!