Fixing 1Password GPG Key Expiry Issues on Linux

Fixing 1Password GPG Key Expiry Issues on Linux
Image is courtesy of Pexels

I recently hit an issue when trying to upgrade 1Password on my Linux system (I’m running Fedora 41, but this affects all Linux distributions). Despite being on 1Password version 8.10.75, which should have automatically updated the GPG key according to 1Password’s own guidance, I couldn’t upgrade to version 8.10.78.

Here’s how I fixed it.

The Background

Back in early 2025, 1Password sent out an email warning Linux users about an expiring GPG key:

On May 16, 2025, the public key that certifies updates for 1Password for Linux is expiring.

The email stated that users running version 8.10.74 or later wouldn’t need to take any action - the key would update automatically.

To ensure that 1Password for Linux users can continue to update 1Password beyond this date, we recommend that 1Password for Linux users update 1Password before May 16. This will ensure that the public key is automatically updated with a new expiry date of May 16, 2032. No action is required for users who’ve already updated 1Password for Linux to version 8.10.74 or later.

I was running 8.10.75, so I thought I was good to go.

The Problem

When running my regular package upgrade, I got this error:

Transaction failed: Signature verification failed.
OpenPGP check for package "1password-8.10.78-1.x86_64" (/var/cache/libdnf5/1password-ae82278eaa4b2446/packages/1password-8.10.78.x86_64.rpm) from repo "1password" has failed: Problem occurred when opening the package.

The upgrade was failing because the GPG key used to verify the 1Password package had expired, despite supposedly being automatically updated.

The Solution

Here’s what I did to fix it:

1. Find the Expired GPG Key

First, I needed to identify which GPG key belonged to 1Password:

sudo rpm -qi gpg-pubkey

(On Debian / Ubuntu systems, you’d use apt-key list instead).

This listed all GPG keys on my system. I found the 1Password key by looking for the relevant Packager field:

Name        : gpg-pubkey
Version     : 2012ea22
Release     : 591e021e
Architecture: (none)
Install Date: Thu 09 Jan 2025 08:51:03 GMT
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Thu 18 May 2017 21:20:46 BST
Build Host  : localhost
Packager    : Code signing for 1Password <[email protected]>
Summary     : Code signing for 1Password <[email protected]> public key
Description :

Notice the Build Date of 2017 - this was definitely the old key that needed replacing.

2. Remove the Old Key

With the key identified (version 2012ea22 and release 591e021e), I removed it:

sudo rpm -e gpg-pubkey-2012ea22-591e021e

(On Debian / Ubuntu use sudo apt-key del 2012EA22).

3. Import the New Key

Then I imported the updated key directly from 1Password:

sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc

(On Debian / Ubuntu use curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo apt-key add -).

4. Upgrade Successfully

After that, I could successfully upgrade 1Password to version 8.10.78 without issues.

Summary

Despite 1Password’s assurance that version 8.10.74 and later would automatically update the GPG key, it didn’t work for me and left me with expired keys that blocked updates.

If you’re hitting GPG signature verification errors when trying to update 1Password, you’ll need to manually remove the old key and import the new one. It’s a quick fix once you know what to look for, but it’s frustrating that the automatic process didn’t work as advertised.

Have you hit similar GPG key issues with other software? Let me know in the comments.