The repository 'http://dl.google.com/linux/chrome/deb stable Release' is not signed [closed]

Question

I have the following step in my CircleCi setup to install Google Chrome:

  - run:
      name: Install Chrome headless
      working_directory: /
      command: |
        wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - && \
          echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list && \
          apt-get update && \
          apt-get install -y dbus-x11 google-chrome-unstable && \
          rm -rf /var/lib/apt/lists/*

It stopped working and return the following error message:

W: GPG error: http://dl.google.com/linux/chrome/deb stable Release: The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority) <[email protected]>
W: The repository 'http://dl.google.com/linux/chrome/deb stable Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Reading package lists... Done


Building dependency tree       


Reading state information... Done

The following additional packages will be installed:
  libappindicator3-1 libdbusmenu-gtk3-4 libindicator3-7
Recommended packages:
  libu2f-udev
The following NEW packages will be installed:
  dbus-x11 google-chrome-unstable libappindicator3-1 libdbusmenu-gtk3-4
  libindicator3-7
0 upgraded, 5 newly installed, 0 to remove and 48 not upgraded.
Need to get 60.4 MB of archives.
After this operation, 214 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  google-chrome-unstable
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
Exited with code 100

How can I fix that?

Answer 1

You don't. You must wait for Google to renew their keys and for an update.

The important message is:

The following signatures were invalid: EXPKEYSIG 1397BC53640DB551 Google Inc. (Linux Packages Signing Authority)

It means that the cryptographic signature is invalid. The source of this can be an attack, a misconfiguration, or other kind of technical problem. Forcing your system to update will result in running an unverified version of your web browser, which can expose you to a lot of security troubles.

Answer 2

It's the same as this question (10 mins of difference): https://askubuntu.com/questions/1133199/the-following-signatures-were-invalid-expkeysig-1397bc53640db551

Short explanation: the GPG key on Google side expired, so you (we) have to wait.

Answer 3

Plan 1

This is the protection you are getting from these checks. You don't want to update your software right now while something is messed up on Google's end. Wait until they fix it. Don't try to override by reinstalling keys until some official word comes out that a new key is the solution.

Plan 2

Waiting until they fix it may not be an option for all. E.g. this is breaking CI pipelines for us. If you now what you are doing, you might take the risk and disable checks for this repo for now by adding [trusted=yes] to it's configuration: deb [trusted=yes] http://dl.google.com/linux/chrome/deb/ stable main –

source

Answer 4

I simply commented out the entry in etc/apt/sources.list.d/google-chrome.list so I don't see the error anymore.