How to use Extended LTS

To benefit from the security updates, you just have to configure APT to use our extended LTS repository.

Adding extended LTS repositories to APT

Installing the freexian archive GPG key

The extended LTS repositories are signed with the following GPG key:

sec   rsa4096 2018-05-28 [SC] [expires: 2027-12-05]
      AB597C4F6F3380BD4B2BEBC2A07310D369055D5A
uid           [ultimate] Extended LTS Repository <sysadmin@freexian.com>

To enable this key in your APT configuration, you have the following choices:

  • manually install the freexian-archive-keyring package with wget https://deb.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2022.06.08_all.deb && sudo dpkg -i freexian-archive-keyring_2022.06.08_all.deb
  • manually fetch the key with sudo wget https://deb.freexian.com/extended-lts/archive-key.gpg -O elts-archive-key.gpg && sudo mv elts-archive-key.gpg /etc/apt/trusted.gpg.d/freexian-archive-extended-lts.gpg

If you have certificate validation issues with the above commands, please retry the download step with wget --no-check-certificate ... and run the second command only after having ensured that the SHA256 checksum of the downloaded file matches the corresponding checksum listed below:

$ sha256sum freexian-archive-keyring_2022.06.08_all.deb
a8160d1aa1a40aa9988bf0b389b650550c7460ec3b4ec1d847778fe44b9c4dbc  freexian-archive-keyring_2022.06.08_all.deb

or

$ sha256sum elts-archive-key.gpg
a0b22152fdf1942f49cc1559ec4598bae8d8954da9ed38662d15b97a60909db8  elts-archive-key.gpg

Finally, you might want to double check that the archive key fingerprint displayed by apt-key finger matches the one shown above.

sources.list entries for APT

For Debian 8 jessie

Here’s what you should put in /etc/apt/sources.list.d/extended-lts.list:

deb http://deb.freexian.com/extended-lts jessie-lts main contrib non-free

Note that this repository only contains the security updates, not all packages from Debian 8. If you want all packages from Debian 8, you should keep another repository pointing to a Debian 8 mirror.

We do provide a repository combining all Debian 8 packages and our security updates, but please use it only for small setups, or mirror it:

deb http://deb.freexian.com/extended-lts jessie main contrib non-free
For Debian 9 stretch

Here’s what you should put in /etc/apt/sources.list.d/extended-lts.list:

deb http://deb.freexian.com/extended-lts stretch-lts main contrib non-free

Note that this repository only contains the security updates, not all packages from Debian 9. If you want all packages from Debian 9, you should keep another repository pointing to a Debian 9 mirror.

We do provide a repository combining all Debian 9 packages and our security updates, but please use it only for small setups, or mirror it:

deb http://deb.freexian.com/extended-lts stretch main contrib non-free
For Debian 10 buster

Here’s what you should put in /etc/apt/sources.list.d/extended-lts.list:

deb http://deb.freexian.com/extended-lts buster-lts main contrib non-free

Note that this repository only contains the security updates, not all packages from Debian 10. If you want all packages from Debian 10, you should keep another repository pointing to a Debian 10 mirror.

We do provide a repository combining all Debian 10 packages and our security updates, but please use it only for small setups, or mirror it:

deb http://deb.freexian.com/extended-lts buster main contrib non-free

Be nice, use local mirrors/caches

There are currently no public mirrors of this service and it runs on a single dedicated server. If you have many machines to keep secure, please make a local mirror (or use some cache) and point your machines to your local mirror (or cache) instead of pointing them to the repositories provided by Freexian.

GPG Key Expiry

During the lifetime of Debian ELTS releases, the Debian archive GPG key used to sign the release is likely to expire. APT will throw an error like this:

W: GPG error: http://archive.debian.org jessie Release: The following signatures were invalid: KEYEXPIRED 1587841717

Our recommended solution here is to use our full repository (stretch or jessie), combining all packages with our security updates.

Alternatively, on stretch and more recent, you can configure APT to ignore the error by using gpgvnoexpkeysig from mmdebstrap as the Apt::Key::gpgvcommand.