How to Remove an Expired Key in APT
If your package manager starts throwing “no signature” or “key has expired” errors, it’s usually because an old signing key is still on the system. Removing that key will let apt update run smoothly again.
Why You’ll Get This Error
When you add a new repository, you usually copy its GPG key into /etc/apt/trusted.gpg.d. That key stays there forever unless you delete it. Over time those keys pile up and some expire. When one does, apt refuses to trust that source until you clean it out.
Find the Expired Key Fingerprint
Run:
sudo apt-key list | grep -E "expires|expired"
This shows all keys and flags the ones that are past their expiry date. In my last upgrade from Ubuntu 18.04 to 20.04, the Launchpad PPA key blew up because it was set to expire in January 2023, so I had to remove it.
Delete the Key with apt-key
If you’re on an older system where apt-key is still in use:
sudo apt-key del <KEY_ID>
Replace <KEY_ID> with the 8‑ or 16‑character fingerprint from the list. Deleting it removes the key file from /etc/apt/trusted.gpg.d, so APT no longer sees it.
If apt-key Is Deprecated
Newer Ubuntu releases recommend using signed-by in your source line instead of global keys. First, locate the repository entry that uses the old key:
grep -R "deb " /etc/apt/sources.list* | grep <KEY_ID>
Edit that line to include a signed-by clause pointing to a fresh key file (or remove it if you’re going to use HTTPS verification). Then delete the old key as shown above.
Clean Up Any Left‑Overs
Sometimes a dangling key file remains after deletion. Verify with:
sudo apt-key list | grep <KEY_ID>
If nothing shows up, you’re good to go. Finally, update APT:
sudo apt update
You should see no more “expired” warnings.
TL;DR: List expired keys, delete them via apt-key del, and clean any repository entries that still reference the old key. A few commands, a handful of edits, and your package manager will behave like it did before the error started nagging you.
