TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/tutorial/Update-Kali-Linux-to-the-latest-software-repository-key

Update Kali Linux to the latest software repository key

By Damon Garn

Two key benefits of open source software are how relatively easy it is for developers to modify code and how quickly users can acquire the updated applications. Unfortunately, this approach also leaves software vulnerable to malicious tampering and untested updates.

To combat this problem, vendors use a public-private key pair to digitally sign software repositories, thereby mitigating unauthorized code changes. This is an essential part of application security for all Linux users.

The process of digitally signing the repository looks like this:

1. The repository is hashed, and the hash is digitally signed (encrypted) with the repository's private key.
2. When users update Kali, the system uses the related public key to decrypt the signature and verify the hashes match.
3. If the hashes match, the software is confirmed as authentic and unchanged.

In April 2025, the maintainers of Kali Linux -- a popular distro focused on security auditing and penetration testing -- lost access to the signing key used to guarantee the authenticity of software in the Kali repositories. The team generated a new key pair, but existing Kali installations that relied on the older key received errors anytime users tried to install or update their software.

As a result, users must download a new Kali Linux repository key before they can properly manage applications on their Kali installation.

Let's look at how to identify if your Kali instance needs a new key and, if so, how to update it.

How to identify if your installation needs a new key

Identifying whether your Kali Linux installation needs a new key is pretty straightforward. If you installed Kali before April 2025, you likely have the outdated key. Because the key is incorrect, you will see one of the following errors when attempting to install or update software from the Kali repositories:

• The following signatures couldn't be verified because the public key is not available.
• Missing key ... which is needed to verify signature.
• An error occurred during the signature verification.

You could also see errors if you run automated scripts or tasks to update the system. Check for these errors in the /var/log directory or wherever the automation software stores its log files.

You might run into these errors in the following situations:

• If you have a fresh installation of a Kali Linux version prior to April 2025 and attempt to update the OS and applications.
• If you have an existing Kali Linux installation prior to April 2025 and you attempt to update the OS and applications.

Users with Kali Linux 2025.1c or newer already have the new key, and no action is needed.

Note, you might have more Kali Linux installations around than you realize. It's a common version of the OS for administrators, developers and security professionals to experiment with. Check the following systems for Kali Linux installations that might contain the old key:

• Laptops or other pen testing workstations.
• Lab or classroom environment installations used for training and certification prep.
• Cloud deployments.
• VM installations on admin workstations.
• Container deployments.
• Live boot DVD or storage disk images.
• Windows Subsystem for Linux installations on Windows servers.

Kali Linux is less likely to be used as a server OS or installed on standard user computers. It's a specialized Linux distribution most often used by security professionals.

How to download the new key

The fix is to download the new Kali Linux repository key and add it to the Kali Linux distribution's keyring. Accomplish this with the following command:

sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg

If you prefer to use curl instead of wget to download the key, type:

sudo curl https://archive.kali.org/archive-keyring.gpg -o /usr/share/keyrings/kali-archive-keyring.gpg

The process is quick. Once you complete it, update the system using the standard apt-get commands. This can take several minutes if you haven't updated the installation in a while. You can also install any new software you need from the Kali repositories.

$ sudo apt-get update

$ sudo apt-get install nmap

The updates and installations will proceed as normal. The key-checking process is automated; you won't need to run additional commands.

If you want to view the keyring, type the following command:

gpg --no-default-keyring --keyring /usr/share/keyrings/kali-archive-keyring.gpg -k

Updating the key will have no other effect on your system.

Software management best practices

Digitally signing software and software repositories is critical to system security. It is equally crucial that end users keep their OSes and applications up to date. Integrate the following best practices into your Linux software management process:

• Keep all software current and patched.
• Only acquire software from trusted sources with digitally signed installations.
• Automate software updates when possible.
• Maintain application version control.
• Monitor software installation processes.
• Configure alerting for failed software installation attempts.
• Carefully control internal software repositories.
• Conduct vulnerability scans for out-of-date applications.
• Ensure only authorized users can install and update applications.

Tamper-free and trusted software

Digitally signed software is a critical part of the application distribution infrastructure. Security and Linux admins must understand the role it plays in ensuring tamper-free and trusted software.

Kali Linux users tend to be particularly cautious and aware of such security practices. Update the key on your Linux systems immediately so that you can keep the OS and applications current with security fixes and feature enhancements.

Be aware that Kali Linux is not the only distribution or software source that faces this challenge. You could run into this problem with other vendors, so be on the lookout for similar errors. If you encounter them, you now have the knowledge you need to address the issue.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.