What's the official recommended method to fix NO_PUBKEY errors during apt-get update?


sockscap
 Share

0
Go to solution Solved by xwiggen,

Recommended Posts

It's a Debian stretch server (Armbian to be specific). When I ran "apt-get update" the day before yesterday, it gave me an error: "The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9".

I searched the Internet and finally resolved the issue by running the following commands:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9

Initially I tried to use "--keyserver keyring.debian.org" but it didn't work. Therefore, I did some further research, and I read from https://wiki.debian.org/SecureApt that "The current and the retired Debian archive "signing" keys are available from https://ftp-master.debian.org/keys.html."

The latter web page provides the key as ".asc" files, but I cannot find how should I do with these ".asc" files. Could someone point out the official recommended method to fix such NO_PUBKEY errors? It's a bit strange that I have to consult ubuntu keyserver to fix Debian signing key issues.

 

Link to post
Share on other sites

Armbian is a community driven open source project. Do you like to contribute your code?

17 minutes ago, Werner said:

ubuntu's keyservers are like any other keyserver around. http://pgp.mit.edu/ for example is a well known keyserver that has been there for ages. However it depends on the key owners to spread their keys on various keyservers.

 

Thanks for the reply. A few more questions:

 

1. It sounds like the keys will not be synchronized automatically between these servers, and it relies on key owners' manual action? I'm a little worried, if I encounter the issue again, how do I know which server holds the info? For example, I initially thought keyring.debian.org should work, but actually it's not. 

 

2. If I simply use the default sources.list like the one below, what key server is considered to be the official one?

 

deb http://httpredir.debian.org/debian stretch main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch main contrib non-free

deb http://httpredir.debian.org/debian stretch-updates main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-updates main contrib non-free

deb http://httpredir.debian.org/debian stretch-backports main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-backports main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
#deb-src http://security.debian.org/ stretch/updates main contrib non-free

 

3. What's the purpose of https://ftp-master.debian.org/keys.html? I'm asking because it sounds like the official source which should be the most trustful. Can I use the info from it to generate the keys missing?

 

Link to post
Share on other sites

9 minutes ago, sockscap said:

It sounds like the keys will not be synchronized automatically between these servers, and it relies on key owners' manual action?

Correct. Keyservers work independent.

 

9 minutes ago, sockscap said:

2. If I simply use the default sources.list like the one below, what key server is considered to be the official one?

I don't know.

What I do know however is that httpredir has been deprecated by Debian for years now. deb.debian.org should be used instead. Can be read somewhere in Debian wiki.

 

10 minutes ago, sockscap said:

3. What's the purpose of https://ftp-master.debian.org/keys.html?

No idea

Link to post
Share on other sites

  • Solution
4 hours ago, sockscap said:


The latter web page provides the key as ".asc" files, but I cannot find how should I do with these ".asc" files. Could someone point out the official recommended method to fix such NO_PUBKEY errors? It's a bit strange that I have to consult ubuntu keyserver to fix Debian signing key issues.

 

You can download and add the key with

apt-key add <file.asc>

 

The keyservers are capable of synchronization and I suspect (wouldn't know for sure) the ubuntu service is.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

0