After searching around for a long time, I finally found a specific package I needed to install for a VM setup of an intentionally vulnerable machine. The package in question is openssl 1.0.2-1 and I am having a lot of trouble trying to install it. The package is located in https://snapshot.debian.org/archive/debian/20150123T220434Z. I have already added a deb entry for the snapshot repo in my sources.list.d/ and added the necessary key with apt-key but now I am getting the following error when running sudo apt update:
Err:9 https://snapshot.debian.org/archive/debian/20150123T220434Z unstable InRelease
The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
Reading package lists... Done
W: GPG error: https://snapshot.debian.org/archive/debian/20150123T220434Z unstable InRelease: The following signatures were invalid: EXPKEYSIG 8B48AD6246925553 Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
E: The repository 'https://snapshot.debian.org/archive/debian/20150123T220434Z unstable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I'm not sure how to deal with this, as I think that I've already added the key. If someone could point me in the right direction on how to fix this, that would be great. Alternatively, maybe there is a better way of installing these obsolete(?) packages, since I'm going to be doing this sort of thing repeatedly for my setup.
Acquire::Check-Valid-Until noin apt configuration. See, e.g., what the user does in https://unix.stackexchange.com/q/600510/70524 – muru Aug 04 '20 at 02:24