It happened to me on a quiet evening, running the usual sudo apt update on a Debian 12 server that powers Grafana for dashboards I rely on daily.
Instead of the usual green lines of updates, I was greeted by a red warning.
|
0 1 |
The following signatures were invalid: EXPKEYSIG 963FA27710458545 Grafana Labs <engineering@grafana.com> |
For a moment, it looked like the repository had gone bad, but in reality this was Debian doing its job.
The key Grafana used to sign its repository had expired.
Without a valid signature, Debian simply refuses to fetch updates. That is a feature, not a bug, better to stop than to trust something potentially unsafe.
The fix is not about forcing apt to ignore the error. It is about refreshing trust, by pulling down Grafana’s new signing key and configuring Debian to use it properly.
On Debian 12, the recommended approach is to store keys in /etc/apt/keyrings and explicitly link them in the repository definition with the signed-by option.
The process goes step by step, create the keyrings directory if it does not exist, remove any stale Grafana key, download the latest one, convert it to the format Debian understands, and then rewrite the repository definition so that it points directly to the new key.
Once that’s done, a simple apt update brings Grafana packages back to life without errors.
One-Shot Script to Refresh the Key
For those who want everything in one go, here is a single script that handles the full refresh:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# 1) create keyrings folder (if not there yet) sudo mkdir -p /etc/apt/keyrings # 2) remove old key (safe and ok if not there) sudo rm -f /etc/apt/keyrings/grafana.gpg # 3) get new key from Grafana and dearmor into keyring system wget -q -O - https://apt.grafana.com/gpg.key \ | gpg --dearmor \ | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null # 4) make sure repo definition use signed-by (stable + beta if you need that one) echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" \ | sudo tee /etc/apt/sources.list.d/grafana.list > /dev/null # (optional) add beta if you need one echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com beta main" \ | sudo tee -a /etc/apt/sources.list.d/grafana.list > /dev/null # 5) Refresh index sudo apt update |
Once the script finishes, the error disappears and you are back in business. If you want to be extra cautious, you can inspect the fingerprint of the key with:
|
0 1 |
gpg --show-keys --with-fingerprint /etc/apt/keyrings/grafana.gpg |
This way you can verify it against Grafana’s official fingerprint and be certain the key is legitimate. Occasionally, the problem is not on your side at all, if Grafana lets their repository metadata expire, you will see the same error even after refreshing the key.
In those rare cases, the options are to wait for them to push a fix or temporarily disable the repository. Most of the time, simply refreshing the key is enough.
There’s a certain rhythm to maintaining servers, small errors surface, you patch them, and trust is re-established.
This little Grafana key rotation was just another reminder that Debian’s security model works. It is strict for a reason, and the solution is not to bypass it, but to align with it. In the end, keeping monitoring systems secure is as important as the dashboards themselves.
Quick Fix Commands Cheat Sheet
If you only need the essential commands, here is the short version:
|
0 1 2 3 4 5 6 7 8 9 10 11 |
sudo mkdir -p /etc/apt/keyrings sudo rm -f /etc/apt/keyrings/grafana.gpg wget -q -O - https://apt.grafana.com/gpg.key \ | gpg --dearmor \ | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" \ | sudo tee /etc/apt/sources.list.d/grafana.list > /dev/null echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com beta main" \ | sudo tee -a /etc/apt/sources.list.d/grafana.list > /dev/null sudo apt update |