Offensive Security has issued a warning to users of Kali Linux regarding significant update failures following the loss of a critical repository signing key. Users are advised to manually install a new signing key to ensure continued access to software updates.
The previous signing key, identified as ED444FF07D8D0BF6, has been deprecated and replaced with a new key (ED65462EC8D5E4C5), signed by Kali Linux developers. This change was necessary as the old key was lost, although it was not compromised. Users attempting to update their systems with the old key are likely to encounter errors citing a missing public key required for signature verification.
Offensive Security has indicated that the repository was frozen on February 18th to prevent users from being impacted during this transition. The company acknowledged their error, stating, “In the coming day(s), pretty much every Kali system out there will fail to update… This is entirely our fault. We lost access to the signing key of the repository, so we had to create a new one,” as noted in their official blog post here.
To avert such update failures, users are urged to manually download and install the new signing key using the provided command. For those who prefer not to undertake manual updates, Offensive Security suggests reinstalling Kali with the latest images which come preloaded with the new keyring. This is not the first instance of manual intervention required by Kali users; a similar situation occurred in February 2018 when the GPG key expired, necessitating another manual update, as referenced in a previous tweet.