Skip to main content

Problems with apt-keys on my hotspots

··716 words·4 mins
Amateur-Radio Hotspot Pistar Raspberry-Pi
Table of Contents

It is about a few times a year when something is broken on a linux system. Today (actually yesterday but I couldn’t stay up much longer and I was already fed up with this sh**) I upgraded my two raspberry-pi based hotspots and realized when apt couldn’t verify the repositories signing keys because of missing keys.

This happens usually on any linux distribution at least once a year. So it shouldn’t be a big deal but it consumes time and I usually have to look into manpages and/or online help again because I already forgot how I fixed it the last time…

Today, I write it down below.

What the error looks like #

When running sudo apt update:

$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Get:5 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15,0 kB]
Err:1 http://httpredir.debian.org/debian bullseye-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Reading package lists... Done
W: GPG error: http://httpredir.debian.org/debian bullseye-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://httpredir.debian.org/debian bullseye-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Obtain the keys #

$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
gpg: keybox '/home/pi-star/.gnupg/pubring.kbx' created
gpg: /home/pi-star/.gnupg/trustdb.gpg: trustdb created
gpg: key A48449044AAD5C5D: public key "Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: key B7C5D7D6350947F8: public key "Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>" imported
gpg: key 73A4F27B8DD47936: public key "Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: Total number processed: 4
gpg:               imported: 4

Import the keys #

This still works, though, there is a better method for future encounters.

$ gpg -a --export 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853 | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

The resulting update process #

$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Hit:2 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Get:3 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:5 http://archive.raspberrypi.org/debian bullseye InRelease
Get:6 http://httpredir.debian.org/debian bullseye-backports/main armhf Packages [415 kB]
Get:7 http://httpredir.debian.org/debian bullseye-backports/main Translation-en [353 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [248 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [164 kB]
Get:10 http://httpredir.debian.org/debian bullseye-backports/contrib armhf Packages [4.680 B]
Get:11 http://httpredir.debian.org/debian bullseye-backports/contrib Translation-en [5.984 B]
Get:12 http://httpredir.debian.org/debian bullseye-backports/non-free armhf Packages [9.072 B]
Get:13 http://httpredir.debian.org/debian bullseye-backports/non-free Translation-en [27,7 kB]
Get:14 http://security.debian.org/debian-security bullseye-security/non-free Translation-en [464 B]
Get:15 http://deb.debian.org/debian bullseye-updates/main armhf Packages [14,7 kB]
Get:16 http://deb.debian.org/debian bullseye-updates/main Translation-en [9.964 B]
Fetched 1.253 kB in 4s (282 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

Another way (quicker) but untested #

This should also work like the above (until EOL of apt-key).

$ apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853

Final words #

I got that feeling: the next time I’d need this, apt-key will not work and got fully replaced by signing keys in /etc/apt/keyrings

Inspired by this post: https://superuser.com/a/1485255

As the default keyserver strips user-ids they cannot imported without the --keyserver switch.