3

I encountered some common errors while running apt-get update - no public keys.

My Ubuntu is in fips mode, version 5.4.0-1092-fips.

The errors I'm seeing while running apt-get update is

Err:5 https://esm.ubuntu.com/fips-updates/ubuntu focal-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY $MY_KEY1
Err:6 https://esm.ubuntu.com/cis/ubuntu focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY $MY_KEY2

I followed apt-get update fails due to NO_PUBKEY 6AF7F09730B3F0A4, and tried

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $MY_KEY1
and
gpg --keyserver keyserver.ubuntu.com --recv-keys $MY_KEY1

The output is

gpg: out of core handler ignored in FIPS mode
gpg: key $MY_KEY1: public key "Ubuntu Federal Information Processing Standards Automatic Signing Key V1 <esm@canonical.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: out of core handler ignored in FIPS mode
gpg: out of core handler ignored in FIPS mode

I don't know if this command registered the key successfully. I can see the keys from gpg --list-keys. However, apt-get update still fails with the same error.

What can I do in this case? Thanks in advance.

Edit: Some people marked this dup to How to enable ESM on Xenial? , but I don't see how that post answered my question to fix the no public key issue.

Edit 2: Still doesn't work after I went pro mode and enabled ESM

SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips-updates     yes       enabled      FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
ros              yes       disabled     Security Updates for the Robot Operating System
usg              yes       enabled      Security compliance and audit tools

NOTICES
Operation in progress: pro attach

Edit 3: Please take a look at my post. I followed the old posts to import the keys but it still didn't work. A similar issue that I found is GPG error, but could not update public key but that doesn't have an answer, either.

itsjc
  • 31
  • 3
  • Not quite. I don't see anything in that post help me fix the no public key issue for apt-get update – itsjc Mar 09 '24 at 03:36
  • The keys should have been added when you enable ESM. – guiverc Mar 09 '24 at 10:42
  • 1
    @guiverc nope it still doesn't work after I enabled ESM – itsjc Mar 09 '24 at 11:20
  • Maybe you could try to reinstall/reenable FIPS. Look here for more infos – kanehekili Mar 12 '24 at 21:24
  • Make sure your computer time is set correctly, because keys may expire. But I wouldn't be surprised if this has to do withe the file permissions of the trust store /etc/apt/trusted.gpg ... It may also be that in fips mode you need different update methods than apt. https://ubuntu.com/security/certifications/docs/fips-enablement – sleepyhead Mar 16 '24 at 13:33

1 Answers1

0

Depending on which version of Ubuntu you are running, you need the ESM GPG keys installed first before doing apt updates.

https://esm.ubuntu.com/fips-updates/ubuntu/dists/ Index of /fips-updates/ubuntu/dists/ ../ bionic-updates/ focal-updates/ jammy-updates/ xenial-updates/

You will need to install the GPG key for your version of Ubuntu. For my 22.4.04 LTS jammy jellyfish it would be:

https://esm.ubuntu.com/fips-updates/ubuntu/dists/jammy-updates/Release.gpg

The key can be installed with the following command curl -fsSL https://esm.ubuntu.com/fips-updates/ubuntu/dists/jammy-updates/Release.gpg | sudo gpg --dearmor -o /usr/share/keyrings/esm.gpg

Once the GPG key is installed, apt-get update should work without complaint on keys

Brian Collins
  • 31
  • 1