EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>

Status changed to 'Confirmed' because the bug affects multiple users.

I have a similar error

Ign:16 http://ddebs.ubuntu.com focal-updates Release.gpg
Err:17 http://ddebs.ubuntu.com focal Release.gpg
  The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
Err:19 http://ddebs.ubuntu.com focal-proposed Release.gpg
  The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
Hit:18 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Reading package lists... Done
E: The repository 'http://ddebs.ubuntu.com focal-updates Release' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ddebs.ubuntu.com focal Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ddebs.ubuntu.com focal-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>

Hi,

This is a workaround you can use temporarily:

$ wget -O- http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-
key add -
$ sudo apt update

The key was extended temporarily.

Best,

Thanks for the workaround. Can confirm it works, I was just wondering how the key was allowed to expire, and if there is anything being done to make sure it doesn't happen again to this or other keys.

Just to make the current status clear from what I can gather:

- The GPG key was extended by 1 year to 2022-03-21

- On Ubuntu Bionic (18.04) and newer the GPG key is normally installed by the ubuntu-dbgsym-keyring package (on 18.04 Bionic onwards). This package is not yet updated. An update to this package is required and still pending.

- On Ubuntu Xenial (16.04) users typically imported the key from keyserver.ubuntu.com. As that is not yet updated, you will need to import the key from HTTP using the workaround below which will work as a temporary workaround on all Ubuntu releases. Once keyserver.ubuntu.com is updated, you could also use "sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622"

- The updated GPG key is not currently published to keyserver.ubuntu.com

- The updated GPG key is available at http://ddebs.ubuntu.com/dbgsym-release-key.asc

- As a workaround you can import that key to apt using "wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -" (note: you need a space between the -O and -, contrary to the previously pasted comment)

- I believe that the key likely needs to be extended longer and published to all resources including the ubuntu-dbgsym-keyring package and keyserver.ubuntu.com

Updated the following wiki pages:
https://wiki.ubuntu.com/Debug%20Symbol%20Packages
https://wiki.ubuntu.com/DebuggingProgramCrash

With the note:
Note: The GPG key expired on 2021-03-21 and may need updating by either upgrading the ubuntu-dbgsym-keyring package or re-running the apt-key command. Please see Bug #1920640 for workaround details if that does not work.

Note: this is a duplicate of bug #1920610, which was submitted a few hours earlier.

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package ubuntu-keyring - 2021.03.21.1

---------------
ubuntu-keyring (2021.03.21.1) hirsute; urgency=medium

  * Update expiry of the ddebs.ubuntu.com key by one year. LP: #1920640

 -- Dimitri John Ledkov <email address hidden> Sun, 21 Mar 2021 13:47:59 +0000

You know that Canonical have huge problems if the guys responsible for security are prompting you to trust keys downloaded through http protocol

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2020.06.17.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2020.02.11.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2018.09.18.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I tested this on Bionic (albeit using Ubuntu Error Tracker retracing systems) and updating the ubuntu-dbgsym-kerying from -proposed allowed them to retrace crashes again so setting to verification-done.

2021-03-26 17:15:33,167:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Processing.
2021-03-26 17:15:33,219:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Decompressing to /tmp/tmprCylMh-swift.6d1
acc70-8e56-11eb-8af4-fa163e9b80e2.oopsid.core
2021-03-26 17:15:33,314:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Retracing 6d1acc70-8e56-11eb-8af4-fa163e9
b80e2:swift with sandbox-dir /srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-uUsGBd/sandbox with cache /srv/daisy.staging.ubunt
u.com/devel/cache/Ubuntu 21.04/cache-uUsGBd/cache
2021-03-26 17:15:36,471:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Apport's return code was 1.
2021-03-26 17:15:36,471:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:ERROR: W:Download is performed unsandboxe
d as root as file '/srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-uUsGBd/cache/Ubuntu 21.04/apt/var/lib/apt/lists/partial/arch
ive.ubuntu.com_ubuntu_dists_hirsute_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied), W:GPG error:
http://ddebs.ubuntu.com hirsute Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Autom
atic Signing Key (2016) <email address hidden>, E:The repository 'http://ddebs.ubuntu.com hirsute Release' is not signed., W:Upda
ting from such a repository can't be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creati
on and user configuration details., W:GPG error: http://ddebs.ubuntu.com hirsute-updates Release: The following signatures were invalid: EXP
KEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>, E:The repository 'http:/
/ddebs.ubuntu.com hirsute-updates Release' is not signed.
2021-03-26 17:15:36,471:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Will retry (6d1acc70-8e56-11eb-8af4-fa163
e9b80e2) due to a transient error.
2021-03-26 17:15:36,473:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Processing.
2021-03-26 17:15:36,657:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Decompressing to /tmp/tmpaSBRUl-swift.6d1
acc70-8e56-11eb-8af4-fa163e9b80e2.oopsid.core
2021-03-26 17:15:36,751:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Retracing 6d1acc70-8e56-11eb-8af4-fa163e9
b80e2:swift with sandbox-dir /srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-uUsGBd/sandbox with cache /srv/daisy.staging.ubunt
u.com/devel/cache/Ubuntu 21.04/cache-uUsGBd/cache
2021-03-26 17:16:35,063:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Writing back to Cassandra
2021-03-26 17:16:35,150:19962:140010884187968:INFO:root:6d1acc70-8e56-11eb-8af4-fa163e9b80e2:swift:Successfully retraced.
...

This bug was fixed in the package ubuntu-keyring - 2021.03.26

---------------
ubuntu-keyring (2021.03.26) hirsute; urgency=medium

  * Remove expiry of the ddebs.ubuntu.com key. LP: #1920640
  * Remove previous signatures from the ddebs.ubuntu.com key to minimize
    keyring size.
  * Remove encryption subkeys from cloud-archive & cloud-images keyrings,
    only signing keys are needed.

 -- Dimitri John Ledkov <email address hidden> Fri, 26 Mar 2021 23:37:35 +0000

Tested in focal.

Before test with proposed keyring packages: 'apt update' failed with the aforementioned error. dbgsym packages could not be installed from ddebs.ubuntu.com

After upgrading to proposed keyring packages: 'apt update' succeeded. A sampling of dbgsym packages could be installed from ddebs.ubuntu.com

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2020.06.17.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2020.02.11.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Felipe, or anyone else affected,

Accepted ubuntu-keyring into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-keyring/2018.09.18.1~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Works on Groovy, the dbgsym repository updates without issues using ubuntu-dbgsym-keyring 2020.06.17.2. :-)

I tested this again in the Ubuntu Error Tracker using ubuntu-dbgsym-keyring version 2018.09.18.1~18.04.2 and retracing started working again.

2021-03-30 19:11:42,253:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Processing.
2021-03-30 19:11:42,389:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Decompressing to /tmp/tmpWpOfew-swift.64b
7ba98-918a-11eb-8a05-fa163e7a7275.oopsid.core
2021-03-30 19:11:42,527:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Retracing 64b7ba98-918a-11eb-8a05-fa163e7
a7275:swift with sandbox-dir /srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-bryjaH/sandbox with cache /srv/daisy.staging.ubunt
u.com/devel/cache/Ubuntu 21.04/cache-bryjaH/cache
2021-03-30 19:11:46,738:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Apport's return code was 1.
2021-03-30 19:11:46,738:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:ERROR: W:Download is performed unsandboxe
d as root as file '/srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-bryjaH/cache/Ubuntu 21.04/apt/var/lib/apt/lists/partial/arch
ive.ubuntu.com_ubuntu_dists_hirsute_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied), W:GPG error:
http://ddebs.ubuntu.com hirsute Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Autom
atic Signing Key (2016) <email address hidden>, E:The repository 'http://ddebs.ubuntu.com hirsute Release' is not signed., W:Upda
ting from such a repository can't be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creati
on and user configuration details., W:GPG error: http://ddebs.ubuntu.com hirsute-updates Release: The following signatures were invalid: EXP
KEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>, E:The repository 'http:/
/ddebs.ubuntu.com hirsute-updates Release' is not signed.
2021-03-30 19:11:46,738:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Will retry (64b7ba98-918a-11eb-8a05-fa163
e7a7275) due to a transient error.
2021-03-30 19:11:46,740:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Processing.
2021-03-30 19:11:46,931:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Decompressing to /tmp/tmpn7RBHi-swift.64b
7ba98-918a-11eb-8a05-fa163e7a7275.oopsid.core
2021-03-30 19:11:47,078:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Retracing 64b7ba98-918a-11eb-8a05-fa163e7
a7275:swift with sandbox-dir /srv/daisy.staging.ubuntu.com/devel/cache/Ubuntu 21.04/cache-bryjaH/sandbox with cache /srv/daisy.staging.ubunt
u.com/devel/cache/Ubuntu 21.04/cache-bryjaH/cache
2021-03-30 19:12:48,786:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Writing back to Cassandra
2021-03-30 19:12:48,888:21370:140207348864832:INFO:root:64b7ba98-918a-11eb-8a05-fa163e7a7275:swift:Successfully retraced.

Setting to verification-done for Focal.

(focal-amd64)root@impulse:/home/bdmurray/source-trees/error-tracker-deployment/trunk# apt-get update
...
Reading package lists... Done
W: GPG error: http://ddebs.ubuntu.com focal Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol A
rchive Automatic Signing Key (2016) <email address hidden>
E: The repository 'http://ddebs.ubuntu.com focal Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ddebs.ubuntu.com focal-updates Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug
Symbol Archive Automatic Signing Key (2016) <email address hidden>
E: The repository 'http://ddebs.ubuntu.com focal-updates Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ddebs.ubuntu.com focal-proposed Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug
 Symbol Archive Automatic Signing Key (2016) <email address hidden>
E: The repository 'http://ddebs.ubuntu.com focal-proposed Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
(focal-amd64)root@impulse:/home/bdmurray/source-trees/error-tracker-deployment/trunk# apt-get install ubuntu-dbgsym-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  ubuntu-dbgsym-keyring
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/6956 B of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 10155 files and directories currently installed.)
Preparing to unpack .../ubuntu-dbgsym-keyring_2020.02.11.4_all.deb ...
Unpacking ubuntu-dbgsym-keyring (2020.02.11.4) over (2020.02.11.2) ...
Setting up ubuntu-dbgsym-keyring (2020.02.11.4) ...
(focal-amd64)root@impulse:/home/bdmurray/source-trees/error-tracker-deployment/trunk# apt-get update
...
Get:20 http://ddebs.ubuntu.com focal-proposed/universe amd64 Packages [41.3 kB]
Fetched 5486 kB in 9s (623 kB/s)
Reading package lists... Done

This bug was fixed in the package ubuntu-keyring - 2020.06.17.3

---------------
ubuntu-keyring (2020.06.17.3) groovy; urgency=medium

  * Remove expiry of the ddebs.ubuntu.com key. LP: #1920640

 -- Dimitri John Ledkov <email address hidden> Mon, 29 Mar 2021 15:28:00 +0100

The verification of the Stable Release Update for ubuntu-keyring has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ubuntu-keyring - 2020.02.11.4

---------------
ubuntu-keyring (2020.02.11.4) focal; urgency=medium

  * Remove expiry of the ddebs.ubuntu.com key. LP: #1920640

 -- Dimitri John Ledkov <email address hidden> Mon, 29 Mar 2021 15:29:33 +0100

This bug was fixed in the package ubuntu-keyring - 2018.09.18.1~18.04.2

---------------
ubuntu-keyring (2018.09.18.1~18.04.2) bionic; urgency=medium

  * Remove expiry of the ddebs.ubuntu.com key. LP: #1920640

 -- Dimitri John Ledkov <email address hidden> Mon, 29 Mar 2021 15:33:14 +0100

More that a week was needed for this trivial harmless fix to go through this nonsensical bureaucracy. The ubuntu update procedure is broken.

The updated packages don't work for me on groovy.

$ apt policy ubuntu-keyring ubuntu-dbgsym-keyring
ubuntu-keyring:
  Installed: 2020.06.17.3
  Candidate: 2020.06.17.3
  Version table:
 *** 2020.06.17.3 500
        500 http://ru.archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages
        500 http://ru.archive.ubuntu.com/ubuntu groovy-updates/main i386 Packages
        100 /var/lib/dpkg/status
     2020.06.17.1 500
        500 http://ru.archive.ubuntu.com/ubuntu groovy/main amd64 Packages
        500 http://ru.archive.ubuntu.com/ubuntu groovy/main i386 Packages
ubuntu-dbgsym-keyring:
  Installed: 2020.06.17.3
  Candidate: 2020.06.17.3
  Version table:
 *** 2020.06.17.3 500
        500 http://ru.archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages
        500 http://ru.archive.ubuntu.com/ubuntu groovy-updates/main i386 Packages
        100 /var/lib/dpkg/status
     2020.06.17.1 500
        500 http://ru.archive.ubuntu.com/ubuntu groovy/main amd64 Packages
        500 http://ru.archive.ubuntu.com/ubuntu groovy/main i386 Packages

$ sudo apt update
Get:1 file:/mnt/g/packages ubuntu-groovy InRelease
Ign:1 file:/mnt/g/packages ubuntu-groovy InRelease
Get:2 file:/mnt/g/packages ubuntu-groovy Release [3044 B]
Get:2 file:/mnt/g/packages ubuntu-groovy Release [3044 B]
Get:3 file:/mnt/g/packages ubuntu-groovy Release.gpg
Ign:3 file:/mnt/g/packages ubuntu-groovy Release.gpg
Hit:4 http://ru.archive.ubuntu.com/ubuntu groovy InRelease
Hit:5 http://ru.archive.ubuntu.com/ubuntu groovy-updates InRelease
Hit:6 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:7 http://ru.archive.ubuntu.com/ubuntu groovy-backports InRelease
Hit:8 http://archive.canonical.com/ubuntu groovy InRelease
Hit:9 http://ppa.launchpad.net/lutris-team/lutris/ubuntu groovy InRelease
Hit:10 http://security.ubuntu.com/ubuntu groovy-security InRelease
Ign:11 http://ddebs.ubuntu.c...

Can you please show the output of:

apt-key export C8CAB6595FDFF622 | gpg --list-packets

?

I guess for some reason your apt keyring isn't updated correctly.

It is possible that you have the key in _two_ keyrings in trusted.gpg.d/ & in trusted.gpg itself.

It would be best for you to do the following:

1) sudo apt remove --purge ubuntu-dbgsym-keyring

2) sudo apt-key del 0xC8CAB6595FDFF622

3) sudo apt-key list | grep C8CAB6595FDFF622 => it should be empty now

4) sudo apt install ubuntu-dbgsym-keyring

Re: #30 and #21. I have the same issue:

----8<----
$ for p in /etc/apt/trusted.gpg.d/ubuntu-*; do gpg --no-default-keyring --keyring $p --list-keys; done
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg
-----------------------------------------------------
pub rsa4096 2016-03-21 [SC]
      F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622
uid [ unknown] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
      F6ECB3762474EDA9D21B7022871920D1991BC93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <email address hidden>

$ sudo apt install --reinstall ubuntu-dbgsym-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 2 not upgraded.
Need to get 6,904 B of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu groovy-updates/main amd64 ubuntu-dbgsym-keyring all 2020.06.17.3 [6,904 B]
Fetched 6,904 B in 0s (14.4 kB/s)
Supported
(Reading database ... 704337 files and directories currently installed.)
Preparing to unpack .../ubuntu-dbgsym-keyring_2020.06.17.3_all.deb ...
Unpacking ubuntu-dbgsym-keyring (2020.06.17.3) over (2020.06.17.3) ...
Setting up ubuntu-dbgsym-keyring (2020.06.17.3) ...
$ sudo apt update
[...]
Ign:28 http://ddebs.ubuntu.com groovy InRelease
Ign:29 http://ddebs.ubuntu.com groovy-updates InRelease
Hit:30 http://ddebs.ubuntu.com groovy Release
Get:31 http://ddebs.ubuntu.com groovy-updates Release [40.5 kB]
Get:32 http://ddebs.ubuntu.com groovy-updates Release.gpg [819 B]
Err:35 http://ddebs.ubuntu.com groovy Release.gpg
  The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
Err:32 http://ddebs.ubuntu.com groovy-updates Release.gpg
  The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
Fetched 213 kB in 4s (55.8 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ddebs.ubuntu.com groovy Release: The following signatures were invalid: EXPKEYSIG C8CAB6595FDFF622 Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <email address hidden>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error:...

FYI: I've today had two systems exposing that issue.
The cleanup in comment #32 helped, but I wonder what caused it initially.
Sadly I can't recreate it anymore with a new system/container - might have been related to the keying update to 2021.03.26 a few days ago.

I can add maintainer script to check and remove expired copies of 0xC8CAB6595FDFF622 and then like print a message that one needs to install ubuntu-dbgsym-keyring

Unfortunately, I cannot automatically ask apt to install ubuntu-dbgsym-keyring if expired dbgsym key is detected on disk =/

As for #32 this might be helpful for some when it comes to:

sudo apt-key list | grep C8CAB6595FDFF622

do:

sudo APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn apt-key list | grep ...

to get print to STDOUT.

Beside that I'm somewhat curious how this is an issue *now* when bug is from 2021-03-20