Have you ever had to update a virtual machine that has been left behind for a few months, just to find out that it won’t upgrade? In this article, we show you how to upgrade a Kali VM to the latest available version and resolve repo and key issues.
For our demo, we used a Kali Linux 2024.4 VM that was hosted on a server that was unplugged in Canada, physically moved to Spain, and restarted several months later.
Safe upgrade procedure
Upgrading Kali Linux safely, especially in a VM that hasn’t been updated over an extended period of time, requires a few key precautions so that tools, repos, and configurations don’t break in the process.
What follows is a low-risk upgrade path from Kali 2024.4 to the latest available version of Kali (in our case, 2025.3).
Step 1. Check your current setup
Before you start anything, take a full snapshot of your VM (or clone it, or do a complete backup). Then, power up your pre-upgrade copy and confirm what Kali version it is.
cat /etc/os-release
uname -a
Shut down the machine and, if you had no issues, power up the VM you want to upgrade.
Step 2. Clean and Verify Package Sources
The Kali repositories change slightly between major releases. Open your /etc/apt/sources.list – you can use nano or vim as a text editor, or use the visual editor of your choice; in the demo, we use Pluma:
sudo nano /etc/apt/sources.list
Replace you main repo with the following:
deb http://http.kali.org/kali kali-rolling main non-free contrib
sudo apt clean
sudo apt update
Step 3. Remove obsolete packages
This step is optional, but it’s recommended because cleaning up old dependencies reduces upgrade problems:
sudo apt autoremove --purge
sudo apt autoclean
Step 4. Perform the rolling upgrade
If the system didn’t return any error, you can now perform your upgrade:
sudo apt update && sudo apt full-upgrade -y
- Always use full-upgrade instead of dist-upgrade: it’s the Kali-preferred method for rolling updates since it properly handles replaced or removed packages.
Step 5. Reboot and verify
When the upgrade finishes, reboot your system and check once again the version of your system: you should now see the latest available:
sudo reboot
cat /etc/os-release
uname -r
Step 6. Post-upgrade cleanup and validation
Finally, take the time to perform a few additional steps to make sure that everything is working correctly.
Check for any held packages:
sudo apt-mark showhold
If any appear, you can un-hold selectively:
sudo apt-mark unhold <package>
Run diagnostics:
sudo apt --fix-broken install
sudo dpkg --configure -a
Make sure core tools are still working:
msfconsole --version
<a href="https://negativepid.blog/how-to-become-a-bug-bounty-hunter/">nmap</a> --version
python3 --version
If the kernel didn’t update automatically:
sudo apt install -y linux-image-amd64 linux-headers-amd64
sudo reboot
How to fix the most common issues
In real life, the safe upgrade procedure detailed above might not go smoothly. When you are several versions behind, you might encounter a number of common issues, from the classic 404 Not Found issue, to missing keys.
In the demo below, you will see how we hit a roadblock at step #2 of the procedure, when we tried to update the system.
Here is how fixed them:
Step 1. Fixing the 404 Not Found error
First, clean your APT cache and metadata by clearing the outdated package index that refers to the missing files:
sudo rm -rf /var/lib/apt/lists/*
sudo apt clean
sudo apt update
If the update fails, you might want to switch to a different Kali mirror: The default http.kali.org is a redirector; sometimes it points you to a stale mirror (especially during big version transitions).
In this case, you can select a faster, live mirror:
sudo nano /etc/apt/sources.list
Replace everything with just one of the following, based on your (new) region:
# Canada:
deb http://mirror.csclub.uwaterloo.ca/kali kali-rolling main non-free contrib
# United States:
deb http://kali.download/kali kali-rolling main non-free contrib
# Europe:
deb http://ftp.halifax.rwth-aachen.de/kali kali-rolling main non-free contrib
Then:
sudo apt clean
sudo apt update
If everything worked fine, you can now retry the upgrade.
Step 2. Fixing the signing keys
In our demo, we weren’t so lucky: after we cleared the package index, we couldn’t proceed with the update because we received a missing key error.
First, we cleaned up the old keys (in the command, we used old expired keys):
sudo apt-key del 44C6E5B39071E36C 2>/dev/null || true
sudo apt-key del ED65462EC8D5E4C5 2>/dev/null || true
We then imported the new Kali Linux public keys (Kali now distributes it via archive-keyring and directly via HTTPS):
sudo apt install -y curl gnupg
curl -fsSL https://archive.kali.org/archive-key.asc | sudo gpg --dearmor -o /usr/share/keyrings/kali-archive-keyring.gpg
Then verify the key file exists:
ls -l /usr/share/keyrings/kali-archive-keyring.gpg
Update your repository definition to use that key by editing your sources.list file:
sudo nano /etc/apt/sources.list
Replace any existing line with this signed-by syntax (this is the modern, secure way):
deb [signed-by=/usr/share/keyrings/kali-archive-keyring.gpg] http://http.kali.org/kali kali-rolling main non-free contrib
Or use the mirror of your choice:
deb [signed-by=/usr/share/keyrings/kali-archive-keyring.gpg] http://mirror.csclub.uwaterloo.ca/kali kali-rolling main non-free contrib
Update again:
sudo apt clean
sudo apt update
At this point, you shouldn’t be seeing any more “repository not signed” errors.
You can now proceed with the full upgrade.
