EXPKEYSIG

Introduction

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: tor+https://deb.whonix.org bookworm InRelease: The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@kicksecure.com

Deprecation notice.
- Kicksecure: Kicksecure 17 End of Security Support and Deprecation Notice - All users should move to Kicksecure 18!
- Whonix: Whonix 17 End of Security Support and Deprecation Notice - All users should move to Whonix 18!
Follow Kicksecure developments: Stay Tuned
Base: Kicksecure is based on Debian.
Signing key update requirement: Only useful in case of performing a Release Upgrade or fixing the signing key for Kicksecure or Whonix 17 on Qubes R4.2.^[1]
Release upgrade vs re-installation: For a comparison between a release upgrade and performing a full image re-installation, Update vs Image Re-Installation is applicable.
Indicator of compromise? No. See Valid Compromise Indicators versus Invalid Compromise Indicators.

Update Kicksecure Signing Key

Only useful if:

Performing a Release Upgrade, or
Fixing the signing key for Kicksecure or Whonix 17 on Qubes R4.2.^[1]

sysmaint notice

Non-Qubes: See sysmaint notice in footnote. ^[2]
Qubes: Use a Qubes Root Console.

Complete the following steps to add the Kicksecure Signing Key to the system's APT keyring.

Open a terminal.

Package curl needs to be installed.

Install package(s) curl following these instructions:

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: In Template.

Update the package lists and upgrade the system.

sudo apt update && sudo apt full-upgrade

Install the curl package(s).

Using apt command line --no-install-recommends option is in most cases optional.

sudo apt install --no-install-recommends curl

Platform specific notice.

Kicksecure: No special notice.
Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.

Done.

The procedure of installing package(s) curl is complete.

Download Kicksecure Signing Key. ^[3]

Choose your operating system.

If you are using Debian, run.

Choose TLS or onion.

TLS (Debian)

TLS.

sudo curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Debian)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

If you are using a Qubes Debian Template, run.

Choose TLS or onion.

TLS (Qubes)

TLS.

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.kicksecure.com/keys/derivative.asc

onion (Qubes)

Downloading over onion requires an already functional system Tor.

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

Signing key verification.

Optional. Recommended for Advanced Users only. If you have a good understanding of Verifying Software Signatures you can check the Kicksecure Signing Key for additional security.

Done.

The procedure of adding the Kicksecure signing key is now complete.

Footnotes

↑ ^1.0 ^1.1 https://forums.whonix.org/t/error-gpg-key-whonix-kvm/22721
↑
Sysmaint Notice
- If using user-sysmaint-split: The user must boot into the sysmaint session. For details and instructions on how to do so, see user-sysmaint-split.
- If using unrestricted admin mode: This sysmaint notice does not apply. Continue with the steps below.
↑ See Secure Downloads to understand why curl and the parameters --tlsv1.3 are used instead of wget.

Placing an additional signing key into folder /usr/share/keyrings by itself alone has no impact on security as this folder is not automatically used by Debian's APT by default. Only when an APT sources list configuration file points to folder /usr/share/keyrings using the signed-by keyword the signing key will be actually used. Therefore deleting keys in /usr/share/keyrings is optional if intending to disable an APT repository. See also APT Signing Key Folders.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2026 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[expsig17-1] 1.0 ^1.1 https://forums.whonix.org/t/error-gpg-key-whonix-kvm/22721

[2] Sysmaint Notice

If using user-sysmaint-split: The user must boot into the sysmaint session. For details and instructions on how to do so, see user-sysmaint-split.

If using unrestricted admin mode: This sysmaint notice does not apply. Continue with the steps below.

[3] If using user-sysmaint-split: The user must boot into the sysmaint session. For details and instructions on how to do so, see user-sysmaint-split.

[4] If using unrestricted admin mode: This sysmaint notice does not apply. Continue with the steps below.

[3] See Secure Downloads to understand why curl and the parameters --tlsv1.3 are used instead of wget.

Placing an additional signing key into folder /usr/share/keyrings by itself alone has no impact on security as this folder is not automatically used by Debian's APT by default. Only when an APT sources list configuration file points to folder /usr/share/keyrings using the signed-by keyword the signing key will be actually used. Therefore deleting keys in /usr/share/keyrings is optional if intending to disable an APT repository. See also APT Signing Key Folders.

[1]

[2]

[3]

EXPKEYSIG

Contents

Introduction

Update Kicksecure Signing Key

A : Debian

TLS (Debian)

onion (Debian)

B : Qubes

TLS (Qubes)

onion (Qubes)

Footnotes

Navigation menu

EXPKEYSIG

Introduction

Update Kicksecure Signing Key

A : Debian

TLS (Debian)

onion (Debian)

B : Qubes

TLS (Qubes)

onion (Qubes)

Footnotes

Navigation menu

Search