A New Kali Linux Archive Signing Key
Table of Contents
TL;DR
Bad news for Kali Linux users! In the coming day(s), apt update
is going to fail for pretty much everyone out there:
Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature.
Reason is, we had to roll a new signing key for the Kali repository. You need to download and install the new key manually, here’s the one-liner:
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
Now your Kali is ready to keep rolling! Sorry for the inconvenience.
Long version
In the coming day(s), pretty much every Kali system out there will fail to update. You are likely to see this error message when you run apt update
:
sudo apt update
This is not only you, this is for everyone, and this is entirely our fault. We lost access to the signing key of the repository, so we had to create a new one. At the same time, we froze the repository (you might have noticed that there was no update since Friday 18th), so nobody was impacted yet. But we’re going to unfreeze the repository this week, and it’s now signed with the new key.
As a result, there’s a bit of manual work for you. You need to download and install this new key manually, as such:
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
If you prefer using curl, that’s just as easy:
sudo curl https://archive.kali.org/archive-keyring.gpg -o /usr/share/keyrings/kali-archive-keyring.gpg
As a matter of good practice, you should verify that the checksum of the file matches the one below:
sha1sum /usr/share/keyrings/kali-archive-keyring.gpg
You can also take a closer look at the new keyring, it contains the old signing key (ED444FF07D8D0BF6
) and the new signing key (ED65462EC8D5E4C5
):
gpg --no-default-keyring --keyring /usr/share/keyrings/kali-archive-keyring.gpg -k
And as you can see, apt update
still works (or works again, if you’re reading this after seeing the apt error):
sudo apt update
Time to update your system!
Restarting from scratch
In some cases, you might just prefer to rebuild your Kali system(s) from scratch. For that purpose, we updated all of our images so that it contains the new keyring.
Just head to Get Kali and grab the latest images. You will notice that the version in the filenames is 2025.1c
. These are the exact same images as the ones we released a month ago, the only difference being that it contains the new keyring. You can also use the weekly images, starting from 2025-W17
they contain the new keyring.
We also updated Kali NetHunter, VM, Cloud, Docker, WSL, etc etc… Please ping us if you think we forgot something.
Q & A
Q. So your key was compromised and you don’t want to admit it, right?
A. No. As you can see we still include the old key in the keyring, if it was compromised we would have removed it and provided a revocation certificate.
Q. I don’t trust this new key! Are you really Kali Linux?
A. The new key is signed by some developers from the Kali team, and the signatures are available on the Ubuntu OpenPGP keyserver. You can check it out at Ubuntu Keyserver.
For more details and updates, visit the Kali Linux Blog.
0 Comments