Debian: apt error NO_PUBKEY

Hi,

on newer debian/ubuntu system the “apt-key” (/etc/apt/trusted.gpg.d and /etc/apt/gpgtrusted.gpg) should no longer be used because in newer debian versions and is marked as insecure because a (correct) signed package is accepted from all respositories and should only be accepted from the original publisher.

If you use the apt-key methode to get an new key the public key will not be found.

root@debdev ~ # apt update
.....
Err:4 http://nginx.org/packages/debian bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8966AE7EAABF62
....

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://nginx.org/packages/debian bullseye InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 8966AE7EAABF62
or you get an

EXPKEYSIG 8966AE7EAABF62

error.

This error means that the public key for the repository defined in sources.list is not found.

root@debdev ~ # cat /etc/apt/sources.list.d/myVendor.list
deb [signed-by=/usr/share/keyrings/myVendor-archive-keyring.gpg] http://myVendor.org/packages/debian bullseye myapp

Show current public keys

root@debdev ~ # gpg --show-keys --with-fingerprint /usr/share/keyrings/myVendor-archive-keyring.gpg
pub   rsa4096 2024-05-29 [SC]
      8440 C6F1 8823 100E 9C22  6354 2AA2 1210 B50F FF46
uid                      myappsigning key <signing-key-2@myVendor.com>

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
      AA3B F56B 138F B094 3379  5A3B 9805 BD82 7BD9 BF62
uid                      myappsigning key <signing-key@myVendor.com>

To get new keys

wget -O- https://myVendor.com/myVendorKey.gpg |
    gpg --dearmor > tee /usr/share/keyrings/myVendor-archive-keyring.gpg 

Now apt update works as expected.

Michael

Leave a Reply