sockscap Posted September 26, 2021 Posted September 26, 2021 It's a Debian stretch server (Armbian to be specific). When I ran "apt-get update" the day before yesterday, it gave me an error: "The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9". I searched the Internet and finally resolved the issue by running the following commands: apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 Initially I tried to use "--keyserver keyring.debian.org" but it didn't work. Therefore, I did some further research, and I read from https://wiki.debian.org/SecureApt that "The current and the retired Debian archive "signing" keys are available from https://ftp-master.debian.org/keys.html." The latter web page provides the key as ".asc" files, but I cannot find how should I do with these ".asc" files. Could someone point out the official recommended method to fix such NO_PUBKEY errors? It's a bit strange that I have to consult ubuntu keyserver to fix Debian signing key issues.
Werner Posted September 26, 2021 Posted September 26, 2021 30 minutes ago, sockscap said: It's a bit strange that I have to consult ubuntu keyserver to fix Debian signing key issues. ubuntu's keyservers are like any other keyserver around. http://pgp.mit.edu/ for example is a well known keyserver that has been there for ages. However it depends on the key owners to spread their keys on various keyservers.
sockscap Posted September 26, 2021 Author Posted September 26, 2021 17 minutes ago, Werner said: ubuntu's keyservers are like any other keyserver around. http://pgp.mit.edu/ for example is a well known keyserver that has been there for ages. However it depends on the key owners to spread their keys on various keyservers. Thanks for the reply. A few more questions: 1. It sounds like the keys will not be synchronized automatically between these servers, and it relies on key owners' manual action? I'm a little worried, if I encounter the issue again, how do I know which server holds the info? For example, I initially thought keyring.debian.org should work, but actually it's not. 2. If I simply use the default sources.list like the one below, what key server is considered to be the official one? deb http://httpredir.debian.org/debian stretch main contrib non-free #deb-src http://httpredir.debian.org/debian stretch main contrib non-free deb http://httpredir.debian.org/debian stretch-updates main contrib non-free #deb-src http://httpredir.debian.org/debian stretch-updates main contrib non-free deb http://httpredir.debian.org/debian stretch-backports main contrib non-free #deb-src http://httpredir.debian.org/debian stretch-backports main contrib non-free deb http://security.debian.org/ stretch/updates main contrib non-free #deb-src http://security.debian.org/ stretch/updates main contrib non-free 3. What's the purpose of https://ftp-master.debian.org/keys.html? I'm asking because it sounds like the official source which should be the most trustful. Can I use the info from it to generate the keys missing?
Werner Posted September 26, 2021 Posted September 26, 2021 9 minutes ago, sockscap said: It sounds like the keys will not be synchronized automatically between these servers, and it relies on key owners' manual action? Correct. Keyservers work independent. 9 minutes ago, sockscap said: 2. If I simply use the default sources.list like the one below, what key server is considered to be the official one? I don't know. What I do know however is that httpredir has been deprecated by Debian for years now. deb.debian.org should be used instead. Can be read somewhere in Debian wiki. 10 minutes ago, sockscap said: 3. What's the purpose of https://ftp-master.debian.org/keys.html? No idea
Solution xwiggen Posted September 26, 2021 Solution Posted September 26, 2021 4 hours ago, sockscap said: The latter web page provides the key as ".asc" files, but I cannot find how should I do with these ".asc" files. Could someone point out the official recommended method to fix such NO_PUBKEY errors? It's a bit strange that I have to consult ubuntu keyserver to fix Debian signing key issues. You can download and add the key with apt-key add <file.asc> The keyservers are capable of synchronization and I suspect (wouldn't know for sure) the ubuntu service is.
sockscap Posted September 26, 2021 Author Posted September 26, 2021 20 minutes ago, xwiggen said: You can download and add the key with apt-key add <file.asc> Ah yes! I double check "man apt-key", it indeed accepts ".asc" file. Thanks for pointing this out!
Recommended Posts