Bug #85029 APT GPG Key Expired
Submitted: 16 Feb 2017 19:12 Modified: 20 Feb 2017 13:06
Reporter: Daniel Bakken Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Packaging Severity:S2 (Serious)
Version:5.7, 5.6 OS:Debian (Jessie)
Assigned to: CPU Architecture:Any

[16 Feb 2017 19:12] Daniel Bakken
The MySQL APT GPG key expired on Feb 16, 2017, making it impossible to install or upgrade Debian packages from the Oracle MySQL APT repository.

How to repeat:
# apt-get update

reports the following error:

W: GPG error: http://repo.mysql.com jessie InRelease: The following signatures were invalid: KEYEXPIRED 1487236823 KEYEXPIRED 1487236823 KEYEXPIRED 1487236823

# apt-key list

shows the expired key:

pub   1024D/5072E1F5 2003-02-03 [expired: 2017-02-16]
uid                  MySQL Release Engineering <mysql-build@oss.oracle.com>

Suggested fix:
Update the GPG key for the Oracle MySQL APT repository and update the mysql-apt-config Debian package accordingly.
[17 Feb 2017 5:41] MySQL Verification Team
Hello Daniel Bakken,

Thank you for the report and feedback!

[17 Feb 2017 7:47] Lars Tangvald
Posted by developer:

Sorry for the trouble. We're getting apt-config updated with the new key.
Workaround: (run as root)

apt-key del A4A9406876FCBD3C456770C88C718D3B5072E1F5 # Delete the old key
export GNUPGHOME=$(mktemp -d) # This just sets it up so the key isn't added to your actual user
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5 # Download the new one
gpg --export A4A9406876FCBD3C456770C88C718D3B5072E1F5 /etc/apt/trusted.gpg.d/mysql.gpg # Add it to the list of apt keys
apt-key list # This should now show the updated key
[17 Feb 2017 8:23] Geert Vanderkelen
Easier one-liner, like in MySQL Docs:

$ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5
Executing: /tmp/tmp.yJ1Cs6jTjh/gpg.1.sh --keyserver
gpg: requesting key 5072E1F5 from hkp server pgp.mit.edu
gpg: key 5072E1F5: public key "MySQL Release Engineering <mysql-build@oss.oracle.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[17 Feb 2017 8:59] Lars Tangvald
Posted by developer:
We have a simpler way to update the key in our docs, actually:
sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5072E1F5
[17 Feb 2017 9:00] Lars Tangvald
Posted by developer:
Whops, didn't see your comment. Thanks :)
[17 Feb 2017 17:35] Daniel Bakken
Thanks for the workaround. Now I won't have this problem again until 2019. ;)

# apt-key list

pub   1024D/5072E1F5 2003-02-03 [expires: 2019-02-17]
uid                  MySQL Release Engineering <mysql-build@oss.oracle.com>
[20 Feb 2017 13:06] Lars Tangvald
Posted by developer:
We've also updated the mysql-apt-config package to get the key from a public keyserver (which in this case would mean it would simply be a matter of running dpkg-reconfigure to update it).
[22 Feb 2017 18:25] Jake S
Note: If you are unable to open port 11371 you cannot upgrade mysql-apt-config successfully since it now forces the getting of the new keyfile (even if you've manually replaced it at the command line).

Since the "gpg" program allows you to specify a port it would be ideal if this was possible here. Or alternatively, you could just try to get the key over port 80 if the default port fails.
[22 Feb 2017 18:26] Jake S
With port 11371 blocked you can use:

sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 5072E1F5
[7 Mar 2017 11:04] Hendrik Visage
With port 11371 blocked you can use:

How do I inject that other URL into the dpkconfigure/apt-get update execution?
[22 Jun 2017 17:40] Tobias Ravenstein
@Hendrik Visage you could temporary add an iptable DNAT rule:

iptables -t nat -A OUTPUT -p tcp --dport 11371 -j DNAT --to-destination

update/install the package und remove the rule again

Flush Example:
iptables -t nat -F