By Mateusz Urbański


2019-04-12 08:03:18 8 Comments

I have the following step in my CircleCi setup to install Google Chrome:

  - run:
      name: Install Chrome headless
      working_directory: /
      command: |
        wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - && \
          echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list && \
          apt-get update && \
          apt-get install -y dbus-x11 google-chrome-unstable && \
          rm -rf /var/lib/apt/lists/*

It stopped working and return the following error message:

W: GPG error: http://dl.google.com/linux/chrome/deb stable Release: The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: The repository 'http://dl.google.com/linux/chrome/deb stable Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Reading package lists... Done


Building dependency tree       


Reading state information... Done

The following additional packages will be installed:
  libappindicator3-1 libdbusmenu-gtk3-4 libindicator3-7
Recommended packages:
  libu2f-udev
The following NEW packages will be installed:
  dbus-x11 google-chrome-unstable libappindicator3-1 libdbusmenu-gtk3-4
  libindicator3-7
0 upgraded, 5 newly installed, 0 to remove and 48 not upgraded.
Need to get 60.4 MB of archives.
After this operation, 214 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  google-chrome-unstable
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
Exited with code 100

How can I fix that?

3 comments

@herkil 2019-04-12 08:28:41

It's the same as this question (10 mins of difference): https://askubuntu.com/questions/1133199/the-following-signatures-were-invalid-expkeysig-1397bc53640db551

Short explanation: the GPG key on Google side expired, so you (we) have to wait.

@YaguraStation 2019-04-12 15:57:00

I dont't think so, because they have renewed it in 2017 already, see my gist from back then: gist.github.com/YaguraStation/1f707c9c0ebd666ca3e943c7eec8ad‌​0c Also an apt-key list on an affected machine should show that the keys only expire 2020.

@herkil 2019-04-13 11:25:55

@YaguraStation GPG keys expire sooner or later, that is the case. You can lookup this problem (already solved, but for future reference) here on google support forum: support.google.com/chrome/thread/4032170?hl=en

@herkil 2019-04-13 11:32:55

Here you can find the details of the key used previously by Google: pgp.key-server.io/pks/… . The expire date is at the bottom of the page.

@sxn 2019-04-12 17:07:43

Plan 1

This is the protection you are getting from these checks. You don't want to update your software right now while something is messed up on Google's end. Wait until they fix it. Don't try to override by reinstalling keys until some official word comes out that a new key is the solution.

Plan 2

Waiting until they fix it may not be an option for all. E.g. this is breaking CI pipelines for us. If you now what you are doing, you might take the risk and disable checks for this repo for now by adding [trusted=yes] to it's configuration: deb [trusted=yes] http://dl.google.com/linux/chrome/deb/ stable main –

source

@Damien Clauzel 2019-04-12 08:35:38

You don't. You must wait for Google to renew their keys and for an update.

The important message is:

The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority)

It means that the cryptographic signature is invalid. The source of this can be an attack, a misconfiguration, or other kind of technical problem. Forcing your system to update will result in running an unverified version of your web browser, which can expose you to a lot of security troubles.

@Overdrivr 2019-04-12 13:47:08

It's breaking CI pipelines all over the place. Do you know any way to ignore a repository when running apt update ? Our pipeline does not need a more recent version of this repo.

@Damien Clauzel 2019-04-12 14:15:10

Apt doesn’t have the possibilité to skip a repository. What about redirecting STDERR to a log file? apt update 2>/tmp/apt_error.log

@YaguraStation 2019-04-12 16:00:22

@DamienClauzel you can bypass the check with trusted=yes in your source list. See manpages.debian.org/jessie/apt/sources.list.5.en.html i.e. deb [trusted=yes] http://dl.google....

@Damien Clauzel 2019-04-12 21:41:23

Yes, but this does not skip the repository: instead, it makes it treated as always secured, which is not the same thing at all. With this, you will get an untrusted update (this is Bad) instead of having no update.

Related Questions

Sponsored Content

12 Answered Questions

[SOLVED] How do I manually fire HTTP POST requests with Firefox or Chrome?

40 Answered Questions

[SOLVED] Getting Chrome to accept self-signed localhost certificate

0 Answered Questions

7 Answered Questions

[SOLVED] Upgrading mongodb has no effect and still shows the old version

  • 2015-05-02 06:49:58
  • swapnesh
  • 22343 View
  • 34 Score
  • 7 Answer
  • Tags:   mongodb ubuntu

1 Answered Questions

apt-get install of zookeeper-server throws error

0 Answered Questions

Removing 'main/binary-i386/Packages' response from sudo apt-get update

1 Answered Questions

[SOLVED] Install Google Chrome Stable 43.0.2357 under Ubuntu

1 Answered Questions

how to installing chrome on rhel5

1 Answered Questions

Getting Google repositories to work with apt-get on Ubuntu Hardy

  • 2010-05-29 16:49:43
  • Justin
  • 1088 View
  • 1 Score
  • 1 Answer
  • Tags:   google-chrome

Sponsored Content