Adding extended LTS repositories to APT
Installing the freexian archive GPG key
The extended LTS repositories are signed with the following GPG key:
sec rsa4096 2018-05-28 [SC] [expires: 2027-12-05] AB597C4F6F3380BD4B2BEBC2A07310D369055D5A uid [ultimate] Extended LTS Repository <firstname.lastname@example.org>
To enable this key in your APT configuration, you have the following choices:
- manually install the freexian-archive-keyring package with
wget https://deb.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2022.06.08_all.deb && sudo dpkg -i freexian-archive-keyring_2022.06.08_all.deb
- manually fetch the key with
sudo wget https://deb.freexian.com/extended-lts/archive-key.gpg -O elts-archive-key.gpg && sudo mv elts-archive-key.gpg /etc/apt/trusted.gpg.d/freexian-archive-extended-lts.gpg
If you have certificate validation issues with the above commands, please retry
the download step with
wget --no-check-certificate ... and run the second command
only after having ensured that the SHA256 checksum of the downloaded file
matches the corresponding checksum listed below:
$ sha256sum freexian-archive-keyring_2022.06.08_all.deb a8160d1aa1a40aa9988bf0b389b650550c7460ec3b4ec1d847778fe44b9c4dbc freexian-archive-keyring_2022.06.08_all.deb
$ sha256sum elts-archive-key.gpg a0b22152fdf1942f49cc1559ec4598bae8d8954da9ed38662d15b97a60909db8 elts-archive-key.gpg
Finally, you might want to double check that the archive key fingerprint
apt-key finger matches the one shown above.
sources.list entries for APT
For Debian 8 jessie
Here’s what you should put in
deb http://deb.freexian.com/extended-lts jessie-lts main contrib non-free
Note that this repository only contains the security updates, not all packages from Debian 8. If you want all packages from Debian 8, you should keep another repository pointing to a Debian 8 mirror.
We do provide a repository combining all Debian 8 packages and our security updates, but please use it only for small setups, or mirror it:
deb http://deb.freexian.com/extended-lts jessie main contrib non-free
For Debian 9 stretch
Here’s what you should put in
deb http://deb.freexian.com/extended-lts stretch-lts main contrib non-free
Note that this repository only contains the security updates, not all packages from Debian 9. If you want all packages from Debian 9, you should keep another repository pointing to a Debian 9 mirror.
We do provide a repository combining all Debian 9 packages and our security updates, but please use it only for small setups, or mirror it:
deb http://deb.freexian.com/extended-lts stretch main contrib non-free
Be nice, use local mirrors/caches
There are currently no public mirrors of this service and it runs on a single dedicated server. If you have many machines to keep secure, please make a local mirror (or use some cache) and point your machines to your local mirror (or cache) instead of pointing them to the repositories provided by Freexian.
GPG Key Expiry
During the lifetime of Debian ELTS releases, the Debian archive GPG key used to sign the release is likely to expire. APT will throw an error like this:
W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717
Our recommended solution here is to use our full repository (
jessie), combining all packages with our security updates.
stretch and more recent, you can configure APT to ignore the
error by using
mmdbootstrap as the