Apt update fails on Debian Bullseye

Hello.
Recently apt update for Bullseye started to fail with expired GPG key:

...
Err:6 https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye bullseye InRelease
  The following signatures were invalid: EXPKEYSIG CAA5E9C8755D21A0 scott@zymbit.com
...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye bullseye InRelease: The following signatures were invalid: EXPKEYSIG CAA5E9C8755D21A0 scott@zymbit.com
W: Failed to fetch https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG CAA5E9C8755D21A0 scott@zymbit.com

I’ve tried to remove /etc/apt/sources.list.d/zymbit.list file and re-run the latest install_zk_sw.sh.
It actually downloaded /usr/share/keyrings/zymbit.gpg and created /etc/apt/sources.list.d/zymbit.list in the new format.
However apt update still fails:

...
Err:7 https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye-aarch64 bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CAA5E9C8755D21A0
...
W: GPG error: https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye-aarch64 bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CAA5E9C8755D21A0
E: The repository 'https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye-aarch64 bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Note: URL changed and it looks like the signature does not match the downloaded key.

@afunix - Let me double-check this for you today. I think all you should need to do is update the local key if you already had everything installed.

curl -L https://zk-sw-repo.s3.amazonaws.com/apt-zymkey-pubkey.gpg | sudo gpg --dearmor --yes -o /usr/share/keyrings/zymbit.gpg

A clean install works for me, but I see the same thing with an apt update on an old install. In most cases, /etc/apt/sources.list.d/zymbit.list is already correct and all you need to do is pull the new key:

curl -L https://zk-sw-repo.s3.amazonaws.com/apt-zymkey-pubkey.gpg | sudo gpg --dearmor --yes -o /usr/share/keyrings/zymbit.gpg

To get an old install to work, I had to edit my /etc/apt/sources.list.d/zymbit.list. Make sure the signed-by option is included in /etc/apt/sources.list.d/zymbit.list,

This parameter - [signed-by=/usr/share/keyrings/zymbit.gpg]

The following will check and fix for you,

sudo sed -i 's/^deb https/deb [signed-by=\/usr\/share\/keyrings\/zymbit.gpg] https/' /etc/apt/sources.list.d/zymbit.list

Bob,

My zymbit.list looks like:

deb [signed-by=/usr/share/keyrings/zymbit.gpg] https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye-aarch64/ bullseye main

The key itself:

# md5sum /usr/share/keyrings/zymbit.gpg
455260a5db93cb9a113cac4df04916a0  /usr/share/keyrings/zymbit.gpg

Still apt update complains:

Err:7 https://zk-sw-repo.s3.amazonaws.com/apt-repo-bullseye-aarch64 bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY CAA5E9C8755D21A0

That key matches my working setup. Can you maybe try the deprecated method with apt-key? The new method runs fine with bullseye and later for me, but just in case…

sudo su
curl -L https://zk-sw-repo.s3.amazonaws.com/apt-zymkey-pubkey.gpg | apt-key add -

It complains apt-key is deprecated, but works, so apt update is successful.
So it looks like install_zk_sw.sh does not support Debian 11 anymore

Ok thanks. Like I said, I did a clean install_zk_sw.sh on Debian 11 to verify the new key worked.