8

After one of my recent updates, I noticed that my 3rd party repos were failing to update due to the NO_PUBKEY error from apt. I looked for hours to find a fix, but all fixes suggest using apt-key. However, that no longer works because it has been deprecated. So I manually copied one repo's keys from /usr/share/keyrings to /etc/apt/trusted.gpg.d as a test and that seems to work. Now everything works for that app.

My question is: is there a new function to download keys from a keyserver instead of the apt-key function? Most sites have not realized this change and offer the apt-key command for their repo keys and that just returns errors now. And how to update my current third party repo keys as only they have the problem? Should I manually cp the keys as I mentioned above, or is there a more efficient solution?

EDIT: I am on 20.10. Apt-key works for 20.04 but not after that.

$ sudo apt update
Err:9 http://repo.vivaldi.com/stable/deb stable Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.vivaldi.com/stable/deb stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Failed to fetch http://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Some index files failed to download. They have been ignored, or old ones used instead.
muru
  • 197,895
  • 55
  • 485
  • 740
i9pp0
  • 702
  • What OS & release are you using? – guiverc Nov 25 '20 at 06:55
  • 2
    Does this answer your question? apt-key is deprecated – Artur Meinild Nov 25 '20 at 07:02
  • @guiverc I am on 20.10 – i9pp0 Nov 25 '20 at 07:03
  • @Artur Meinild I saw that post but it doesn't answer my question as to what tool I should use now instead of apt-key to add repo keys from sites. – i9pp0 Nov 25 '20 at 07:05
  • 1
    I don't believe you issue is with apt-key being relegated, but the keys you're trying to import are EOL & relegated. Due to md5 being no longer treated as secure, any keys that used md5 were depreciated. You should provide full command & error message for specific details (instead of generic) – guiverc Nov 25 '20 at 07:05
  • 1
    @guiverc hmmm may be, but I fixed this issue by simply moving a key from one place to another as described in my post. If it was an md5sum issue, the key should not work no matter where I place it. Right? – i9pp0 Nov 25 '20 at 07:07
  • 1
    Does this answer your question? How do I fix the GPG error "NO_PUBKEY"? – Kulfy Nov 25 '20 at 07:13
  • 1
    @Kulfy That answer comes close but not really. I am looking for what is the new function, what replaces apt-key for downloading keys from sites as they all give instructions with apt-key which end in errors. Most answers on that post use apt-key and the accepted one uses an app I need to download. It cannot be that I must install software to get repo keys in the right place. – i9pp0 Nov 25 '20 at 07:19
  • @guiverc I added errors for you – i9pp0 Nov 25 '20 at 07:23
  • 1
    @i9pp0 Pedram's answer doesn't use apt-key. Neither htorque's answer does. Though I don't use 20.10 but according to https://manpages.debian.org/testing/apt/apt-key.8.en.html, apt-key should be there till Ubuntu 22.04. – Kulfy Nov 25 '20 at 07:25
  • 1
    @Kulfy Pedram's answer does use apt-key. htorque's doesn't but it is a long work around that cannot be the only way to add third party repos to my system. Sites give a one liner to add their repo key using apt-key. Apt-key no longer works on 20.10. My question is what is the "new" way to add repo keys? Thanks – i9pp0 Nov 25 '20 at 07:30

1 Answers1

10

apt-key never downloaded keys by itself. apt-key adv passed on options to gpg, and gpg did the actual downloading (apt-key is a complicated shell script that itself creates temporary scripts to run gpg). You can still use gpg to import keys, e.g. instead of apt-key adv --recv-keys, you'd do something like:

sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/foo.gpg --recv-keys 9658E8044A3AA3D6

Or instead of wget ... | apt-key add -:

wget -qO - https://example.com/somekey.gpg |
  sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/example.gpg --import -

Notes:

  1. GnuPG will create trust stores in root's home directory. Use --homedir with some other part if you want to avoid that.
  2. GnuPG creates keyrings in the new keybox format by default, and these don't work with apt, but using the gnupg-ring: prefix makes it uses the old format for some reason.

If your software already had keyrings installed in /usr/share/keyrings, then presumably their sources.list entries should have had something like [signed-by=/usr/share/keyrings/foo.gpg] (cf. the Debian Wiki).

muru
  • 197,895
  • 55
  • 485
  • 740