A Solution to the “emacs expired key” issue when running “M-x list-packages”.
When trying to install a package with “M-x package-install”, or list the available packages with “M-x list-packages”, you get this error:
Failed to verify signature archive-contents.sig:
No public key for 645357D2883A0966 created at 2025-10-13T17:10:04-0400 using EDDSA
Command output:
gpg: Signature made Mon 13 Oct 2025 05:10:04 PM EDT
gpg: using EDDSA key 0327BE68D64D9A1A66859F15645357D2883A0966
gpg: Can't check signature: No public key
The problem is that the GPG key for elpa.gnu.org has expired, so packages can't be updated. To update the key, you need to install the gnu-elpa-keyring-update package, which you can't do, because the GPG key has expired.
It's a chicken and egg issue.
The solution is to turn off GPG security just long enough to install the new key.
First, verify the issue. This step is optional, but it will give you peace of mind.
From a shell, run: “gpg --homedir ~/.emacs.d/elpa/gnupg --list-keys”
/home/your.name/.emacs.d/elpa/gnupg/pubring.kbx
--------------------------------------------
pub dsa2048 2014-09-24 [SC] [expired: 2019-09-23]
CA442C00F91774F17F59D9B0474F05837FBDEF9B
uid [ expired] GNU ELPA Signing Agent (2014) <elpasign@elpa.gnu.org>
pub rsa3072 2019-04-23 [SC] [expired: 2024-04-21]
C433554766D3DDC64221BFAA066DAFCB81E42C40
uid [ expired] GNU ELPA Signing Agent (2019) <elpasign@elpa.gnu.org>
You should see one or more keys from elpasign@elpa.gnu.org. In the case above, notice they're both expired. That's the problem to fix.
Start a pristine instance of emacs. A pristine instance keep any local config options from stomping around.
emacs -q
List the packages with “M-x list-packages”. The command should fail, but running it will load the “package” module.
Verify that GPG security is on by checking the package-check-signature variable in the *scratch* buffer.
package-check-signature
The results are usually “allow-unsigned”, but anything besides “nil” means security is on.
Turn off GPG checking by running this 1 line program in the *scratch* buffer.
(setq package-check-signature nil)
Refresh the package list with “M-x list-packages”. This time it should run with no errors.
Now to update the GPG key.
Search the *Packages* buffer for the “gnu-elpa-keyring-update” package.
Press <RETURN> to see its description. The description should be something like “Update Emacs's GPG keyring for GNU ELPA”.
Use “i” to mark the package for install.
Use “x” to execute the install.
It will prompt you to install the package. Type “y” to do the install.
From the shell, verify that only thing that got updated is the new elpasign key.
gpg --homedir ~/.emacs.d/elpa/gnupg --list-keys
/home/your.name/.emacs.d/elpa/gnupg/pubring.kbx
--------------------------------------------
pub dsa2048 2014-09-24 [SC] [expired: 2019-09-23]
CA442C00F91774F17F59D9B0474F05837FBDEF9B
uid [ expired] GNU ELPA Signing Agent (2014) <elpasign@elpa.gnu.org>
pub rsa3072 2019-04-23 [SC] [expired: 2024-04-21]
C433554766D3DDC64221BFAA066DAFCB81E42C40
uid [ expired] GNU ELPA Signing Agent (2019) <elpasign@elpa.gnu.org>
pub ed25519 2022-12-28 [C] [expires: 2032-12-25]
AC49B8A5FDED6931F40EE78BF993C03786DE7ECA
uid [ unknown] GNU ELPA Signing Agent (2023) <elpasign@elpa.gnu.org>
sub ed25519 2022-12-28 [S] [expires: 2032-12-25]
sub ed25519 2024-10-22 [S] [expires: 2034-10-20]
Note the new key that expires in 2032-12-25 and no unexpected keys are found.
To restore the GPG security, just exit and restart emacs. You can verify that security is back by checking “package-check-signature” variable in *scratch*. It should be the same as when you checked it earlier.
Run “M-x list-packages”. The packages should list normally, and you should be good to go.
No comments:
Post a Comment