APT errors - Httqm's Docs

Some installation procedures may instruct to run commands such as :

curl [options] https:// | apt-key add -

Which outputs :

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

This is pretty well explained in this answer.

The technical details linked above may look complex, and the simpler is to

search the website of the software provider for an updated install procedure
update your bookmarks

apt update

Fetched 2,070 kB in 7s (304 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

DON'T PANIC : this is _just_ a warning, not an error
This is caused by the usage of the deprecated /etc/apt/trusted.gpg file.
There are 2 methods to fix this :
- the quick-n-dirty method
- the clean method

The quick-n-dirty method

As root :

mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/

No deprecated keyring == no problem ('told you it was dirty )

The clean method

Export each key from the deprecated keyring into one or more dedicated keyrings. To do so :

apt-key list

/etc/apt/trusted.gpg											the deprecated keyring
--------------------
pub	rsa4096 2019-07-30 [SC]
	A2BD 99B1 CD4F B9B9 17ED  53C2 E7CE 2877 F94C 473B						a key found in this deprecated keyring
uid		[ unknown] Gestionnaire du dépôt (Gestionnaire du dépôt) <repository@acme.com>
sub	rsa4096 2019-07-30 [E]

pub	rsa4096 2015-10-07 [SCEA]
	3E7F 2A56 D279 2B59 DCC5  6586 B15A 9E2B 0E01 8B5F
uid		[ unknown] Bot key (with stupid passphrase) <linux-echanges@list.acme.com>
sub	elg4096 2015-10-07 [E]

pub	rsa4096 2018-09-17 [SC]
	F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid		[ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

/etc/apt/trusted.gpg.d/jaap_karssenberg-ubuntu-zim.gpg							another keyring
--------------------
pub	rsa1024 2011-02-19 [SC]
		DC4A C0EE 92BC 64ED 020C  1C63 7588 B93F 8F7D F243
uid		[ unknown] Launchpad PPA for Jaap Karssenberg

/etc/apt/trusted.gpg.d/kelleyk_ubuntu_emacs.gpg								and it goes on...
--------------------

export ACME keys :
apt-key export F94C473B | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg
apt-key export 0E018B5F | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg

the --dearmour option converts the key from base64 to binary
export the Ubuntu key :
apt-key export 991BC93C | gpg --dearmour -o /etc/apt/trusted.gpg.d/ubuntu_archive_2018.gpg
check by running again :
apt update
rm /etc/apt/trusted.gpg

Full error message :

E: Release file for http://deb.debian.org/debian/dists/buster/InRelease is not valid yet (invalid for another 589d 23h 37min 20s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian-security/dists/buster/updates/InRelease is not valid yet (invalid for another 649d 21h 37min 46s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian/dists/unstable/InRelease is not valid yet (invalid for another 650d 4h 8min 51s). Updates for this repository will not be applied.

Investigations led me to the root cause : a wrong local date (experienced this on 2020-11-25):

date

Thu Feb 14 11:17:12 CET 2019

Articles dealing with time synchronization on Debian Buster list 2 methods :

ntpd, which used to be installed on my system
systemd-timesyncd, let's focus on this one

Let's focus on systemd-timesyncd :

What's up ?

systemctl status systemd-timesyncd

Warning: The unit file, source configuration file or drop-ins of systemd-timesyncd.service changed on disk. Run 'systemctl daemon-reload'
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/systemd-timesyncd.service.d
   └─disable-with-time-daemon.conf				???
   Active: inactive (dead)

As instructed :
systemctl daemon-reload

This made no change and systemd-timesyncd refused to start afterwards

Let's have a look at this disable-with-time-daemon.conf :

less /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf

[Unit]
# don't run timesyncd if we have another NTP daemon installed
ConditionFileIsExecutable=!/usr/sbin/ntpd
ConditionFileIsExecutable=!/usr/sbin/openntpd
ConditionFileIsExecutable=!/usr/sbin/chronyd
ConditionFileIsExecutable=!/usr/sbin/VBoxService

Is any of these files present on the system ?
for binFile in $(awk -F '!' '/ConditionFileIsExecutable/ { print $2 }' /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf); do [ -x "$binFile" ] && echo "FOUND : '$binFile'"; done
```
FOUND : '/usr/sbin/ntpd'
FOUND : '/usr/sbin/openntpd'
```
Which packages do these files come from ?
dpkg -S /usr/sbin/ntpd /usr/sbin/openntpd
```
openntpd: /usr/sbin/ntpd
openntpd: /usr/sbin/openntpd
```

Let's uninstall the useless openntpd package :

apt purge openntpd

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  openntpd*

Will I be able to start systemd-timesyncd, now ?

systemctl start systemd-timesyncd
systemctl status systemd-timesyncd

● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-10-08 21:32:17 CEST; 1 months 17 days ago
 Docs: man:systemd-timesyncd.service(8)
 Main PID: 2217 (systemd-timesyn)
   Status: "Synchronized to time server for the first time 188.165.236.162:123 (0.debian.pool.ntp.org)."
Tasks: 2 (limit: 4915)
   Memory: 1.5M
   CGroup: /system.slice/systemd-timesyncd.service
   └─2217 /lib/systemd/systemd-timesyncd

Looks good !

Check :
date
```
Wed Nov 25 18:36:24 CET 2020
```

Full error message :

apt update

Hit:1 http://ftp.fr.debian.org/debian buster InRelease
Hit:2 http://ftp.fr.debian.org/debian-security buster/updates InRelease
Hit:3 http://ftp.fr.debian.org/debian buster-updates InRelease
Get:4 http://security.debian.org buster/updates InRelease [65.4 kB]

Reading package lists... Done
E: Release file for http://ftp.fr.debian.org/debian-security/dists/buster/updates/InRelease is expired (invalid since 3d 17h 1min 44s). Updates for this repository will not be applied.

Release files have a Valid-Until parameter :

wget -O - http://ftp.fr.debian.org/debian-security/dists/buster/updates/InRelease | grep "Valid-Until"

Valid-Until: Sat, 28 Mar 2020 23:31:40 UTC

I've experienced this error at :

date

Wed 01 Apr 2020 06:51:01 PM CEST

The Valid-Until value is clearly in the past, making the release file obsolete. There's nothing wrong on your side (except that you're referring to a resource that should be up-to-date).

Available solutions :

Contact the mirror maintainer(s) to make them aware of the issue and wait until they've fixed it. You should be able to find contact information by browsing directories up from the release file URL (search for README files)
Run and update your own mirror with debmirror (not tested).

Switch to an other Debian mirror :

http://ftp.fr.debian.org/debian-security/README.security suggests :

This site holds security updates for Debian GNU/Linux.

If you are using apt you can use this entry in /etc/apt/sources.list:

  deb http://security.debian.org/ stable/updates main

so I edited /etc/apt/sources.list and changed :

deb http://ftp.fr.debian.org/debian-security/ buster/updates main contrib non-free

into :

deb http://security.debian.org/ buster/updates main contrib non-free

Here is a quick-n-dirty workaround (not a solution), that deactivates the check which verifies expired digital signatures, so apt will accept old and expired release keys :

apt update -o Acquire::Check-Valid-Until=false

Full message :

apt upgrade

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
	default-jre default-jre-headless icedtea-netx
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Different circumstances may cause this output message :

cause	solution
apt upgrade only upgrades what can be upgraded. It doesn't install new packages or remove old ones. Packages that require, to be upgraded, either to install a new package or to remove an installed one, are not upgraded. Such packages will be listed after : The following packages have been kept back:.	read below
Packages have been put on hold to prevent their update.	You probably forgot you did this yourself : just grab a coffee, everything is going extremely well
This is due to Phased updates. Confirmed by apt-mark showhold returning nothing.	This is an expected behavior, not an error. Just relax : everything is going extremely well (AGAIN !)

apt dist-upgrade

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
	icedtea-netx icedtea-netx-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
	default-java-plugin icedtea-8-plugin
The following packages will be upgraded:
	default-jre default-jre-headless icedtea-netx
3 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
Need to get 45.9 kB of archives.
After this operation, 655 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre amd64 2:1.8-58+deb9u1 [930 B]
Get:2 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre-headless amd64 2:1.8-58+deb9u1 [10.1 kB]
Get:3 http://ftp.fr.debian.org/debian stretch/main amd64 icedtea-netx amd64 1.6.2-3.1+deb9u1 [34.9 kB]
Fetched 45.9 kB in 0s (157 kB/s)
Reading changelogs... Done
(Reading database ... 268071 files and directories currently installed.)
Removing default-java-plugin (2:1.8-58) ...
Removing icedtea-8-plugin:amd64 (1.6.2-3.1) ...
(Reading database ... 268066 files and directories currently installed.)
Preparing to unpack .../default-jre_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../default-jre-headless_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre-headless (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../icedtea-netx_1.6.2-3.1+deb9u1_amd64.deb ...
Unpacking icedtea-netx:amd64 (1.6.2-3.1+deb9u1) over (1.6.2-3.1) ...
Setting up icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
Setting up default-jre-headless (2:1.8-58+deb9u1) ...
Setting up default-jre (2:1.8-58+deb9u1) ...

apt autoremove

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
	icedtea-netx icedtea-netx-common
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 1,668 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 268066 files and directories currently installed.)
Removing icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
update-alternatives: removing manually selected alternative - switching javaws to auto mode
update-alternatives: removing manually selected alternative - switching itweb-settings to auto mode
update-alternatives: removing manually selected alternative - switching policyeditor to auto mode
Removing icedtea-netx-common (1.6.2-3.1+deb9u1) ...
Processing triggers for mime-support (3.60) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...

When I run apt-get update, I get messages like :


Hit:6 http://ftp.fr.debian.org/debian jessie Release
Err:7 http://security.debian.org jessie/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]
Err:8 http://security.debian.org testing/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]

A company policy made me change my LDAP password lately (which is used not only to log in but also to go through the company web proxy), the http_proxy and https_proxy environment variables (holding my proxy login/password) are up-to-date
No problem reaching http://security.debian.org with wget

Several causes, several solutions :

Case 1 :

Missing / obsolete proxy settings :

grep http_proxy ~/.bashrc* /etc/{profile,environment}; echo -e "\nCURRENT VALUE : $http_proxy"
edit file having wrong settings
source theFileYouJustEdited

Case 2 :

The apt configuration has a wrong / obsolete value for http_proxy / https_proxy / login / password, hence the error. Just review your apt proxy settings.

Case 3 :

For any good / weird reason, Squid is running on localhost.

set / update the proxy credentials in /etc/squid/squid.conf :

cache_peer proxy01.acmecorp.com parent 3128 0 no-query round-robin weight=1 login=kevin:proxyPassword proxy-only
cache_peer proxy02.acmecorp.com parent 3128 0 no-query round-robin weight=2 login=kevin:proxyPassword proxy-only

systemctl restart squid

APT errors - ...sometimes not as smooth as usual...

apt-key : Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Situation

Details

Solution

apt update error : Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg),

Situation

Details

Solution

The quick-n-dirty method

The clean method

apt update error : Release file for http://deb.debian.org//InRelease is not valid yet Updates for this repository will not be applied.

Situation

Details

Solution

Let's focus on systemd-timesyncd :

apt update error : Release file for http://ftp.fr.debian.org//InRelease is expired. Updates for this repository will not be applied.

Situation

Details

Solution

Available solutions :

Alternate solution

apt upgrade displays The following packages have been kept back:

Situation

Details

Solution

apt update error : 407 Proxy Authentication Required

Situation

Details

Solution

Case 1 :

Case 2 :

Case 3 :