APT errors - ...sometimes not as smooth as usual...

mail

apt update error : Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg),

Situation

apt update

Fetched 2,070 kB in 7s (304 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Details

  1. DON'T PANIC : this is _just_ a warning, not an error
  2. This is caused by the usage of the deprecated /etc/apt/trusted.gpg file.
  3. There are 2 methods to fix this :

Solution

The quick-n-dirty method

As root :
mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/
No deprecated keyring == no problem

The clean method

Export each key from the deprecated keyring into one or more dedicated keyrings. To do so :
  1. apt-key list
    /etc/apt/trusted.gpg											the deprecated keyring
    --------------------
    pub	rsa4096 2019-07-30 [SC]
    	A2BD 99B1 CD4F B9B9 17ED  53C2 E7CE 2877 F94C 473B						a key found in this deprecated keyring
    uid		[ unknown] Gestionnaire du dépôt (Gestionnaire du dépôt) <repository@acme.com>
    sub	rsa4096 2019-07-30 [E]
    
    pub	rsa4096 2015-10-07 [SCEA]
    	3E7F 2A56 D279 2B59 DCC5  6586 B15A 9E2B 0E01 8B5F
    uid		[ unknown] Bot key (with stupid passphrase) <linux-echanges@list.acme.com>
    sub	elg4096 2015-10-07 [E]
    
    pub	rsa4096 2018-09-17 [SC]
    	F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
    uid		[ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
    
    /etc/apt/trusted.gpg.d/jaap_karssenberg-ubuntu-zim.gpg							another keyring
    --------------------
    pub	rsa1024 2011-02-19 [SC]
    		DC4A C0EE 92BC 64ED 020C  1C63 7588 B93F 8F7D F243
    uid		[ unknown] Launchpad PPA for Jaap Karssenberg
    
    /etc/apt/trusted.gpg.d/kelleyk_ubuntu_emacs.gpg								and it goes on...
    --------------------
    
  2. export ACME keys :
    apt-key export F94C473B | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg
    apt-key export 0E018B5F | gpg --dearmour -o /etc/apt/trusted.gpg.d/acme.gpg
  3. export the Ubuntu key :
    apt-key export 991BC93C | gpg --dearmour -o /etc/apt/trusted.gpg.d/ubuntu_archive_2018.gpg
  4. check by running again :
    apt update
  5. rm /etc/apt/trusted.gpg
mail

apt update error : Release file for http://deb.debian.org//InRelease is not valid yet Updates for this repository will not be applied.

Situation

Full error message :
E: Release file for http://deb.debian.org/debian/dists/buster/InRelease is not valid yet (invalid for another 589d 23h 37min 20s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian-security/dists/buster/updates/InRelease is not valid yet (invalid for another 649d 21h 37min 46s). Updates for this repository will not be applied.
E: Release file for http://deb.debian.org/debian/dists/unstable/InRelease is not valid yet (invalid for another 650d 4h 8min 51s). Updates for this repository will not be applied.

Details

Investigations led me to the root cause : a wrong local date (experienced this on 2020-11-25):
date
Thu Feb 14 11:17:12 CET 2019

Solution

Articles dealing with time synchronization on Debian Buster list 2 methods :

Let's focus on systemd-timesyncd :

  1. What's up ?
    systemctl status systemd-timesyncd
    Warning: The unit file, source configuration file or drop-ins of systemd-timesyncd.service changed on disk. Run 'systemctl daemon-reload'
    ● systemd-timesyncd.service - Network Time Synchronization
       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
      Drop-In: /usr/lib/systemd/system/systemd-timesyncd.service.d
       └─disable-with-time-daemon.conf				???
       Active: inactive (dead)
  2. As instructed :
    systemctl daemon-reload
    This made no change and systemd-timesyncd refused to start afterwards
  3. Let's have a look at this disable-with-time-daemon.conf :
    less /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
    [Unit]
    # don't run timesyncd if we have another NTP daemon installed
    ConditionFileIsExecutable=!/usr/sbin/ntpd
    ConditionFileIsExecutable=!/usr/sbin/openntpd
    ConditionFileIsExecutable=!/usr/sbin/chronyd
    ConditionFileIsExecutable=!/usr/sbin/VBoxService
  4. Is any of these files present on the system ?
    for binFile in $(awk -F '!' '/ConditionFileIsExecutable/ { print $2 }' /usr/lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf); do [ -x "$binFile" ] && echo "FOUND : '$binFile'"; done
    FOUND : '/usr/sbin/ntpd'
    FOUND : '/usr/sbin/openntpd'
  5. Which packages do these files come from ?
    dpkg -S /usr/sbin/ntpd /usr/sbin/openntpd
    openntpd: /usr/sbin/ntpd
    openntpd: /usr/sbin/openntpd
  6. Let's uninstall the useless openntpd package :
    apt purge openntpd
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following packages will be REMOVED:
      openntpd*
    
  7. Will I be able to start systemd-timesyncd, now ?
    systemctl start systemd-timesyncd
    systemctl status systemd-timesyncd
     systemd-timesyncd.service - Network Time Synchronization
       Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
       Active: active (running) since Thu 2020-10-08 21:32:17 CEST; 1 months 17 days ago
     Docs: man:systemd-timesyncd.service(8)
     Main PID: 2217 (systemd-timesyn)
       Status: "Synchronized to time server for the first time 188.165.236.162:123 (0.debian.pool.ntp.org)."
    Tasks: 2 (limit: 4915)
       Memory: 1.5M
       CGroup: /system.slice/systemd-timesyncd.service
       └─2217 /lib/systemd/systemd-timesyncd
    Looks good !
  8. Check :
    date
    Wed Nov 25 18:36:24 CET 2020
mail

apt update error : Release file for http://ftp.fr.debian.org//InRelease is expired. Updates for this repository will not be applied.

Situation

Full error message :
apt update
Hit:1 http://ftp.fr.debian.org/debian buster InRelease
Hit:2 http://ftp.fr.debian.org/debian-security buster/updates InRelease
Hit:3 http://ftp.fr.debian.org/debian buster-updates InRelease
Get:4 http://security.debian.org buster/updates InRelease [65.4 kB]

Reading package lists... Done
E: Release file for http://ftp.fr.debian.org/debian-security/dists/buster/updates/InRelease is expired (invalid since 3d 17h 1min 44s). Updates for this repository will not be applied.

Details

Release files have a Valid-Until parameter :
Valid-Until: Sat, 28 Mar 2020 23:31:40 UTC
I've experienced this error at :
date
Wed 01 Apr 2020 06:51:01 PM CEST
The Valid-Until value is clearly in the past, making the release file obsolete. There's nothing wrong on your side (except that you're referring to a resource that should be up-to-date).

Solution

Available solutions :

Alternate solution

Here is a quick-n-dirty workaround (not a solution), that deactivates the check which verifies expired digital signatures, so apt will accept old and expired release keys :
apt update -o Acquire::Check-Valid-Until=false
mail

apt upgrade displays The following packages have been kept back:

Situation

Full message :
apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
	default-jre default-jre-headless icedtea-netx
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Details

Different circumstances may cause this output message :
cause solution
  • apt upgrade only upgrades what can be upgraded. It doesn't install new packages or remove old ones.
  • Packages that require, to be upgraded, either to install a new package or to remove an installed one, are not upgraded. Such packages will be listed after : The following packages have been kept back:.
read below
Packages have been put on hold to prevent their update. You probably forgot you did this yourself : just grab a coffee, everything is going extremely well
This is due to Phased updates.
Confirmed by apt-mark showhold returning nothing.
This is an expected behavior, not an error. Just relax : everything is going extremely well (AGAIN !)

Solution

apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
	icedtea-netx icedtea-netx-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
	default-java-plugin icedtea-8-plugin
The following packages will be upgraded:
	default-jre default-jre-headless icedtea-netx
3 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
Need to get 45.9 kB of archives.
After this operation, 655 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre amd64 2:1.8-58+deb9u1 [930 B]
Get:2 http://ftp.fr.debian.org/debian stretch/main amd64 default-jre-headless amd64 2:1.8-58+deb9u1 [10.1 kB]
Get:3 http://ftp.fr.debian.org/debian stretch/main amd64 icedtea-netx amd64 1.6.2-3.1+deb9u1 [34.9 kB]
Fetched 45.9 kB in 0s (157 kB/s)
Reading changelogs... Done
(Reading database ... 268071 files and directories currently installed.)
Removing default-java-plugin (2:1.8-58) ...
Removing icedtea-8-plugin:amd64 (1.6.2-3.1) ...
(Reading database ... 268066 files and directories currently installed.)
Preparing to unpack .../default-jre_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../default-jre-headless_2%3a1.8-58+deb9u1_amd64.deb ...
Unpacking default-jre-headless (2:1.8-58+deb9u1) over (2:1.8-58) ...
Preparing to unpack .../icedtea-netx_1.6.2-3.1+deb9u1_amd64.deb ...
Unpacking icedtea-netx:amd64 (1.6.2-3.1+deb9u1) over (1.6.2-3.1) ...
Setting up icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
Setting up default-jre-headless (2:1.8-58+deb9u1) ...
Setting up default-jre (2:1.8-58+deb9u1) ...
apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
	icedtea-netx icedtea-netx-common
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 1,668 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 268066 files and directories currently installed.)
Removing icedtea-netx:amd64 (1.6.2-3.1+deb9u1) ...
update-alternatives: removing manually selected alternative - switching javaws to auto mode
update-alternatives: removing manually selected alternative - switching itweb-settings to auto mode
update-alternatives: removing manually selected alternative - switching policyeditor to auto mode
Removing icedtea-netx-common (1.6.2-3.1+deb9u1) ...
Processing triggers for mime-support (3.60) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Processing triggers for hicolor-icon-theme (0.15-1) ...
mail

apt update error : 407 Proxy Authentication Required

Situation

When I run apt-get update, I get messages like :

Hit:6 http://ftp.fr.debian.org/debian jessie Release
Err:7 http://security.debian.org jessie/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]
Err:8 http://security.debian.org testing/updates Release
	407	Proxy Authentication Required [IP: IP of my company's web proxy 3128]

Details

Solution

Several causes, several solutions :

Case 1 :

Missing / obsolete proxy settings :
  1. grep http_proxy ~/.bashrc* /etc/{profile,environment}; echo -e "\nCURRENT VALUE : $http_proxy"
  2. edit file having wrong settings
  3. source theFileYouJustEdited

Case 2 :

/etc/apt/apt.conf contains an obsolete value of http_proxy, hence wrong password and Proxy Authentication Required. So the solution is as simple as :
> /etc/apt/apt.conf

Case 3 :

For any good / weird reason, Squid is running on localhost.
  1. set / update the proxy credentials in /etc/squid/squid.conf :
    cache_peer proxy01.acmecorp.com parent 3128 0 no-query round-robin weight=1 login=kevin:proxyPassword proxy-only
    cache_peer proxy02.acmecorp.com parent 3128 0 no-query round-robin weight=2 login=kevin:proxyPassword proxy-only
  2. systemctl restart squid