- 772
- 208
Offensive Security developers have warned Kali Linux users that they will have to manually set a new repository signing key to avoid update failures. The old signing key was lost.
Offensive Security reported that they lost the old repository signing key (ED444FF07D8D0BF6) and were forced to create a new one (ED65462EC8D5E4C5) signed using signatures available on the Ubuntu OpenPGP keyserver .
Since the old key was not compromised, it was not removed from the keyring and will have to be replaced manually. If the old key is used, users will encounter the error “Missing key 827C8569F2518CC677FECA1AED654462EC8D5E4C5, which is needed to verify signature” when trying to get a list of the latest packages.
[td]“In the coming days, almost all Kali systems will be unable to update. This will affect not only you, but all users, and it is entirely our fault. We lost access to the repository signing key, so we had to create a new one,” Offensive Security says. “At the same time, we froze the repository (you may have noticed that there have been no updates since Friday the 18th), so no one is affected yet. But we are going to unfreeze it this week, and it is now signed with a new key.”[/td]To avoid problems with updates, the developers advise users to manually download and install the new repository signing key using the following command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg.
Those who do not want to manually download the key and verify the checksums are advised to reinstall Kali using the already updated images.
It is worth noting that this is not the first time that Kali Linux users have had to manually update the keyring. In February 2018, Kali developers allowed the GPG key to expire and also asked users to update it manually.
Offensive Security reported that they lost the old repository signing key (ED444FF07D8D0BF6) and were forced to create a new one (ED65462EC8D5E4C5) signed using signatures available on the Ubuntu OpenPGP keyserver .
Since the old key was not compromised, it was not removed from the keyring and will have to be replaced manually. If the old key is used, users will encounter the error “Missing key 827C8569F2518CC677FECA1AED654462EC8D5E4C5, which is needed to verify signature” when trying to get a list of the latest packages.
Those who do not want to manually download the key and verify the checksums are advised to reinstall Kali using the already updated images.
It is worth noting that this is not the first time that Kali Linux users have had to manually update the keyring. In February 2018, Kali developers allowed the GPG key to expire and also asked users to update it manually.