Fix “apt-get update” error and “apt-key list” error in WSL

Fix “apt-get update” error and “apt-key list” error in WSL


Any of these errors in Windows Subsystem for Linux (WSL) can be fixed using the solution in this article! They occur during running “apt-get update“, “apt update“, “apt-key list” or “apt-key update“.

Error 1:

Err:1 kali-rolling InRelease
The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <>

Error 2:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: kali-rolling InRelease: The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <>

Error 3:

W: Failed to fetch The following signatures were invalid: EXPKEYSIG ED444FF07D8D0BF6 Kali Linux Repository <>

Error 4:

W: Some index files failed to download. They have been ignored, or old ones used instead.

Error 5:

E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation


The first 4 ERRORS were thrown after attempting to perform an update of a “Kali Linux Rolling” distribution on WSL. This was done just after running an install on Windows CMD as evident in the screenshot below;

wsl --list --online
wsl --install --distribution kali-linux



The 4 errors referred to above occurred after running the following update commands as “root“;

apt-get update
apt update


The last [5th] error occurred after running the following commands as “root“;

apt-key list
apt-key update


What the 5th error means is that you cannot view the GPG keys installed in the WSL Kali Linux Rolling distro. What it also means is that you can as well NOT automatically fix the GPG Key && Signature Errors! You have to Know and Go the hard way. So, let’s get to it…


There are two methods to FIX the issues presented here:

[Method 1]

This 1st method involves downloading and adding a Trusted GPG key, manually placed in the right directory. To check for installed Trusted GPG keys, run;

ls /etc/apt/trusted.gpg.d/

Now, we need to download the latest Kali GPG key into the same directory as the above command. The command “wget” is used for that;

wget -O /etc/apt/trusted.gpg.d/archive-key-kali.asc

Note that the above command throws an exception;


Resolving (, 64:ff9b::c063:2d8c
Connecting to (||:443... connected.
ERROR: The certificate of '' is not trusted.
ERROR: The certificate of '' has expired.

The reason for this is the TLS/SSL certificate in the URL. So, to fix this, change “https://” to http://” to get;

wget -O /etc/apt/trusted.gpg.d/archive-key-kali.asc


Now checking in the directory for Trusted GPG keys, “/etc/apt/trusted.gpg.d/” we can see that a new ASCII format key (.asc) file is present [archive-key-kali.asc];

ls /etc/apt/trusted.gpg.d/

The screenshot below shows that now, “apt update” runs successfully;

apt update


[Proof of Concept]

To prove that the above fix actually worked, you can remove the .asc above and again try to run “apt update“. You should run into similar errors as before. Call this a Proof of Concept (PoC);

rm /etc/apt/trusted.gpg.d/archive-key-kali.asc
apt update



[Method 2]

This 2nd method involves downloading and installing a KEYRING, automatically placed in the right directory. Start by downloading the keyring package, a Debian (.deb) file;



Next, install the package;

dpkg --install kali-archive-keyring_2022.1_all.deb


After successful installation, if curious about where the keyring was installed, run the following commands:

To check the details of the package, and most importantly the package name which you need to check the install location, run;

dpkg --info kali-archive-keyring_2022.1_all.deb

To list files/directories owned by the package, run;

dpkg -L kali-archive-keyring


From the results of the last command it is easy to locate the location of the keyring::


Now running the “apt-get update” command, it should run successfully!



[Proof of Concept]

As previously done, you can perform a Proof of Concept (PoC) to determine if it is this specific keyring that worked.

We know that the actual name of the package is “kali-archive-keyring“. With this, we can completely remove the package and all its configurations using “dpkg” utility, then try to run “apt-get update” command (which should not complete successfully);

dpkg --purge kali-archive-keyring
apt-get update


As seen above, the PoC works! Now, we can fix this using Method 1 above (and it must work, besides we have a PoC!);

wget -O /etc/apt/trusted.gpg.d/archive-key-kali.asc


Now with the two methods working to eliminate “apt update” (“sudo apt update“) as well as “apt-get update” (or “sudo apt-get update“) errors, you can now update the list of your Windows Subsystem for Linux (WSL) distribution’s pakages and then perform a full upgrade;

apt full-upgrade
sudo apt full-upgrade

apt full-upgrade -y
sudo apt full-upgrade -y



Fix “apt-get update” error and “apt-key list” error in WSL
WSL | thetqweb