5

I am changing the way I install docker on a bunch of machines as pointed out here. It worked fine on one, yet this one behaves strangely.

I have imported the key:

sudo apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.uUGtmucAUd --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/atareao-telegram.gpg --keyring /etc/apt/trusted.gpg.d/neovim-ppa-unstable.gpg --keyring /etc/apt/trusted.gpg.d/nilarimogard-webupd8.gpg --keyring /etc/apt/trusted.gpg.d/ondrej-php-7_0.gpg --keyring /etc/apt/trusted.gpg.d/shutter-ppa.gpg --keyring /etc/apt/trusted.gpg.d/trustdb.gpg --keyring /etc/apt/trusted.gpg.d/trusted.gpg --keyring /etc/apt/trusted.gpg.d/vincent-c-ponysay.gpg --keyring /etc/apt/trusted.gpg.d/webupd8team-y-ppa-manager.gpg --keyring /etc/apt/trusted.gpg.d/xorg-edgers-ppa.gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
gpg: requesting key 2C52609D from hkp server pgp.mit.edu
gpg: [don't know]: invalid packet (ctb=01)
gpg: keydb_get_keyblock failed: eof
gpg: key 2C52609D: public key "Docker Release Tool (releasedocker) <docker@docker.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

yet still sudo apt-get update fails on missing key:

w: GPG error: https://apt.dockerproject.org ubuntu-trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F76221572C52609D

What am I missing?

I also tried the currently provided answer, yet after deleting the trusted.gpg file, I cannot add the keys with 

root@fluttershy:/etc/apt# rm trusted.gpg
root@fluttershy:/etc/apt# apt-key update
gpg: [don't know]: invalid packet (ctb=01)
gpg: keydb_get_keyblock failed: eof
gpg: key 437D05B5: public key "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" imported
gpg: [don't know]: invalid packet (ctb=01)
gpg: keydb_get_keyblock failed: eof
gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" imported
gpg: [don't know]: invalid packet (ctb=01)
gpg: keydb_get_keyblock failed: eof
gpg: key C0B21F32: public key "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" imported
gpg: [don't know]: invalid packet (ctb=01)
gpg: keydb_get_keyblock failed: eof
gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" imported
gpg: Total number processed: 4
gpg:               imported: 4  (RSA: 2)
root@fluttershy:/etc/apt#
Community
  • 1
k0pernikus
  • 6,115
  • gpg is failing with invalid packet (ctb=01)/keydb_get_keyblock failed: eof. This usually means that your GPG database is damaged. The quickest way to fix the issue is to delete it. Is it an option? – Andrea Corbellini Jan 11 '16 at 18:01
  • @AndreaCorbellini It depends on what is deleted and needs to be reconfigured. It's an option to delete all public keys of vendors, I would like to keep my own private and public keys. Such an answer would be even more great if it shows a way on how to list the currently imported keys; as I have a few PPAs I want to keep on using. – k0pernikus Jan 11 '16 at 18:06
  • @AndreaCorbellini And amazing how selective I was reading the output of the apt-key command. I was only scanning the last line and assumed it worked /o'\ – k0pernikus Jan 11 '16 at 18:07

2 Answers2

7

gpg is failing with invalid packet (ctb=01)/keydb_get_keyblock failed: eof. This usually means that your GPG keyring is damaged. The quickest way to fix the issue is to delete it, or restore it from a backup.

Here are a few handy commands for you:

  • To list all keys currently in APT keyrings:

    apt-key list

  • To restore trusted.gpg from APT automatic backup:

    cp /etc/apt/trusted.gpg{~,}

  • To delete trusted.gpg and re-create it with the keys for the Ubuntu archive:

    rm /etc/apt/trusted.gpg
apt-key update

In all the commands I have used /etc/apt/trusted.gpg, but beware that there may be other keyrings inside /etc/apt/trusted.gpg.d/.

APT uses all the keyrings at the same time, as you can see by examining your output:

Executing: gpg [...] \
  --keyring /etc/apt/trusted.gpg \
  --primary-keyring /etc/apt/trusted.gpg \
  --keyring /etc/apt/trusted.gpg.d/atareao-telegram.gpg \
  --keyring /etc/apt/trusted.gpg.d/neovim-ppa-unstable.gpg \
  --keyring /etc/apt/trusted.gpg.d/nilarimogard-webupd8.gpg \
  [...]

Having one damaged keyring makes GPG sad and none of the keyrings (even the good ones) are trusted. As a result, none of the keys considered.

Andrea Corbellini
  • 15,826
  • Even after deleting the trusted.gpg file, it still throws the same error – k0pernikus Jan 11 '16 at 18:20
  • @k0pernikus: can you paste the exact commands you used, together with the output from apt-key list? – Andrea Corbellini Jan 11 '16 at 18:22
  • It fails on the apt-key update part. See my question, I have added the part. – k0pernikus Jan 11 '16 at 18:25
  • @k0pernikus: trusted.gpg is not the only keyring available. There are others inside /etc/apt/trusted.gpg.d/, and it appears that the problem is with one of them. You should use the output of apt-key list to detect the damaged one – Andrea Corbellini Jan 11 '16 at 18:28
  • The last part was the key: I moved all the gpg keys out of the folders. Then apt-get update kindly listed all the missing keys and I just needed to add them according to the list. – k0pernikus Jan 11 '16 at 18:35
  • Which of the keys was faulty I do not know. It would be kind if you could elaborate why one key might crash the whole keyring. – k0pernikus Jan 11 '16 at 18:35
  • @k0pernikus: updated answer – Andrea Corbellini Jan 11 '16 at 18:42
  • @AndreaCorbellini Is the faulty gpg file below or above the gpg: [don't know]: invalid packet (ctb=01) gpg: keydb_search_next failed: invalid packet error ? – SebMa Mar 27 '19 at 03:32
4

Specifically, for Docker keyring 58118E89F3A912897C070ADBF76221572C52609D add key server:

sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
pocheptsov
  • 141
  • 3