185

I'm using an unsigned repo in Ubuntu 16.04 from Debian multimedia:

deb http://www.deb-multimedia.org jessie main

To install deb-multimedia-keyring, I'm running:

apt-get update && apt-get install deb-multimedia-keyring -y

This gives an error:

W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Eliah Kagan
  • 117,780
Shan
  • 1,963

8 Answers8

200

You can set options in your sources.list (located at /etc/apt/sources.list):

deb [trusted=yes] http://www.deb-multimedia.org jessie main

The trusted option is what turns off the GPG check. See man 5 sources.list for details.

You can either edit the file within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

brasofilo
  • 192
  • 2
  • 14
Prathu Baronia
  • 2,541
112

You can bypass some important safeguards by using the following option:

--allow-unauthenticated

From the man pages for apt-get:

--allow-unauthenticated
    Ignore if packages can't be authenticated and don't prompt about
    it. This can be useful while working with local repositories, but
    is a huge security risk if data authenticity isn't ensured in
    another way by the user itself. The usage of the Trusted option for
    sources.list(5) entries should usually be preferred over this
    global override. Configuration Item:
    APT::Get::AllowUnauthenticated.

But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...

Edit

From newer versions of Ubuntu, instead of --allow-unauthenticated, --allow-insecure-repositories can be used.

In order to perform an update the command would be this

sudo apt-get update --allow-insecure-repositories
Arjun K Shibu
  • 951
andrew.46
  • 38,003
  • 27
  • 156
  • 232
  • 1
    I use Raspbian stretch and get even with the option E: The repository 'http://ftp.de.debian.org/debian testing InRelease' is not signed. I want to upgrade from python 3.5. t 3.6. – Timo Apr 02 '18 at 12:59
  • 3
    told me that "this option can't be interpreted together with the other options"when executing sudo apt-get update --allow-unauthenticated – xeruf May 12 '18 at 22:45
  • 78
    NOTE: This no longer seems to work in Ubuntu 18.04 as of July 2018. – Jay Taylor Jul 09 '18 at 02:29
  • @JayTaylor: I have just opened a fresh Virtual Machine for 18.04 and the command functions here perfectly well. Pastebin here: https://pastebin.com/ygLTnP1C – andrew.46 Jul 09 '18 at 06:20
  • 3
    Interesting; perhaps there might be something else different on the machine I tried it from behind the errors I observed. In any case, adding the [trusted=yes] field to sources.list did work. Thanks for your diligence @andrew.46 :) – Jay Taylor Jul 09 '18 at 18:59
  • 50
    I had luck with --allow-insecure-repositories via this other answer. – kshakir Sep 11 '19 at 14:35
  • 1
    I'll second that. I actually did "sudo apt-get update --allow-unauthenticated --allow-insecure-repositories" and it worked. It's probably the --allow-insecure-repositories though... – Brent Rittenhouse Aug 08 '20 at 06:42
15

Another generic solution would be

sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117

Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.

Another solution specific to your case is to install the keys

wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
sudo dpkg -i multimedia-keyring_all.deb

As described in the full walk through: How To Install The Debian Multimedia Repository On Debian Operating Systems

sotirov
  • 3,169
Fady Mohamed Othman
  • 377
8

If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.

The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.

echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update

## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed

apt-get update
apt-get install somepkg-from-repo

I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.

derHugo
  • 3,356
  • 5
  • 31
  • 51
dragon788
  • 1,556
  • This answer seems incomplete when faced with Ubuntu 18.04 There it tries to annoy me by saying nasty things like

    Even after rm-ing the /var/lib/apt/lists/* things...

     – Jürgen Weigert Apr 25 '18 at 18:05
  • That is simply a mirror replication problem and shouldn't affect the authentication or signing of packages in the repositories. Since 1804 is just coming out of beta a lot of mirrors are trying to catch up and the mirroring service may point you to server that isn't fully in sync yet. – dragon788 Apr 27 '18 at 01:24
6

You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:

gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
gpg -a --export KEY_IN_ERROR | sudo apt-key add -

Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.

Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:

deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main

This is really useful if you want to fine tune your security settings for an individual entries.

leonidas
  • 61
6

N: See apt-secure(8) manpage for repository creation and user configuration details.

answer:

  1. ls /etc/apt/sources.list.d

next try removing them using

  1. sudo rm -i /etc/apt/sources.list.d/{output of 1}

do it for each

eg: sudo rm -i /etc/apt/sources.list.d/wireshark-dev-ubuntu-stable-focal.list

then try

  1. sudo apt update

:)

Dumb da
  • 61
  • 1
  • 1
6

This is somewhat duplicating an existing answer but --allow-insecure-repositories and --allow-unauthenticated only worked in certain combinations. Here for example with the insecure deadsnakes repository:

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update --allow-insecure-repositories
sudo apt-get install python3.9* --allow-unauthenticated
xjcl
  • 643
2

This is kind of late to the table, but I only ran into this yesterday. Upon installing from the .iso for 18.04 LTS, obtained from ubuntu.com, I encountered this issue and also, ifconfig and other network tools were not installed. Wifi did not work.

This was on a Lenovo X140e laptop, the kind that is preloaded with Windows and given to someone who completes a computer course.

I reinstalled a few times without better results, perhaps because the definition of insanity applies. I then put 16.04 LTS on a stick and installed that. I had to fool around with BIOS settings to install. Interestingly, network apps were installed and wifi found connections. I got the same message (repository is unsigned, etc.) at first from Software Updater, but then it told me there was a new release and asked me, did I want it.

I gave it a try and now everything works in 18.04. Make of that what you will. I would like to add that none of the other answers on this page worked. That is why I contribute this "solution."

Wastrel
  • 201
  • 18.04 does not use ifconfig, it uses netplan. Going from 16.04 to 18.04 will keep ifconfig and may work better for your device, but I do not see how it is related to installing from unsigned repositories. – aaa Apr 15 '20 at 07:56
  • That is almost certainly what happened. The point is that after installing 18.04 bare, updates did not work: "repository is unsigned". To get updates to work properly I had to install 16.04 and then upgrade to 18.04. – Wastrel Apr 15 '20 at 14:16
  • Ah okay, it's not that clear in the story above. But now on 18.04 you can still install from unsigned repositories w/o any error message? T.b.h you kind of want to get the message as it may indicate something is wrong and you can exclude specific repositories from this check with the answers above. – aaa Apr 16 '20 at 11:04
  • Yes, it all works fine after following the upgrade procedure. It's rather puzzling that the .iso for 18.04 and 16.04 did not, in themselves, have the signatures to the standard repositories. – Wastrel Apr 23 '20 at 16:42