How to fix missing GPG keys?

  • I have just installed Ubuntu 12.04 and I added some repo, and when I did apt-get update, I got missing gpg key.

    Following command seems to doesn't work for me:

    apt-get update 2> /tmp/keymissing; for key in $(grep "NO_PUBKEY" /tmp/keymissing |sed "s/.*NO_PUBKEY //"); do echo -e "\nProcessing key: $key"; gpg --keyserver subkeys.pgp.net --recv $key && sudo gpg --export --armor $key | apt-key add -; done
    

    How to fix this problem?

    It would be good if answers to this question included why this error is happening in the first place, and what to do to avoid it in future.

    I solved my problem using Y-ppa-manager. Thanks to Ashu for the solution!

  • I liked this solution, re-download the missing keys from the Ubuntu key server.

    For Ubuntu

    In my case

     Reading package lists... Done  
     W: GPG error: http://ppa.launchpad.net precise 
     Release: The following signatures couldn't be verified because the public key is not available: 
     NO_PUBKEY 2EA8F35793D8809A
    

    Here is the command to add the missing key mentioned in the error message.

    sudo apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 2EA8F35793D8809A
    

    So I take the missing key 2EA8F35793D8809A and ask the keyserver.ubuntu.com to added it to the list of keys I have in apt.

    For linux mint
    Your key server is slightly different keyserver.linuxmint.com

    sudo apt-key adv --recv-key --keyserver keyserver.linuxmint.com "missing key"
    

    Alternative key servers to try
    keyserver.ubuntu.com

    Works for me. Need to ignore the " in the original blog post.

    It worked for me too. I think it is the easiest solution of all.

    Are there any security implications to doing this? I'm basically just downloading a public key over http, right?

    Best answer so far on AskUbuntu.

    What is Ubuntu key server?

    @iamcreasy , in order to prove to Ubuntu installations that the packages you are installing are secure and malware free each package is signed by the ubuntu key server. So your installer checks if the package you are installing is from a trusted and verified source. I have not found any really good documentation about it, but this might help gpg doc

    I have created a function do add needed keys `adkeys (){ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$1";}` And to remove duplicated or problematic keys I am use to do this: `grep -ril "pattern" /etc/apt | sudo xargs rm -f`

    I recommend `--keyserver ha.pool.sks-keyservers.net`. It's a high-availability pool of key servers, which greatly increases your chance of getting the key you want.

    @Ajedi32 no, there are no security implications. It's a *public* key. If it were compromised during transmission, signature verification would fail, but there is no risk.

    @kynan Not if the file whose signature you're trying to verify was _also_ compromised in transmission. Then the MITM attacker could make the signature verification succeed, right? What's the point of verifying a potentially compromised file with an unknown key?

    @Ajedi32 Suppose that's a possible attack vector, however packages are usually fetched via secure connection. Read more about security implications of GPG key fetching at https://security.stackexchange.com/a/4162/200010

  • There is a software called as Y PPA manager It can help fix GPG keys errors.
    Y PPA manager

    To install -

    sudo add-apt-repository ppa:webupd8team/y-ppa-manager  
    sudo apt-get update  
    sudo apt-get install y-ppa-manager    
    

    Once you install it start it ,then go to advance and select "import all missing GPG keys"

    You must add sudo to this command! `sudo apt-get...`

    This worked for me also and I'm very impressed with the clean easy to use interface of Y PPA Manager it was a nice find, Thanks Ashu.

    I did what you say but nothing happened. I mean that I can't find the app anywhere in the menu.

    @CristianaNicolae Once installed, you can find Y PPA Manager under Applications > System Tools.

    Sorry Ashu, I have checked and double checked. I still can't see it there. It seems that it is installed somewhere in the system, but for some reasons, it doesn't show anywhere in menu.

    @Cristiana - if it is installed properly, type command in terminal: sudo y-ppa-manager

    Installing software that magically handles the issue for you is really not a solution.

  • The automatic download using apt-key adv --recv-keys may not work behind a firewall.

    In this case, open the webpage of Ubuntu Key Server in your web browser and search for the string 0x<hexadecimal code of your missing key>.

    Open the link in the pub section. Save the key contents (from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----) as a file.

    Then run:

    sudo apt-key add <file-with-saved-key>
    

    Source: http://opensourceforgeeks.blogspot.in/2013/04/w-gpg-error-httpppalaunchpadnet-precise.html

  • first enter the following command in the terminal

     sudo rm /var/lib/apt/lists/* -vf
    

    then update your system by entering the following command in the terminal

     sudo apt-get update && sudo apt-get upgrade
    

    after this there should be no errors and everything should work fine.

    thx for reply. The sollution for my problem was preety much simpler: type `sudo su` before typing my command above

    While that will have helped you, `sudo su` is in no way the correct approach - in this case `sudo -s` would have done what you needed.

    I think you meant `sudo rm /var/lib/apt/lists/* -rf` (option "r" instead of "v")

    Using both `sudo` and `rm` is dangerous. Using both `rm` and `*` is dangerous. Use the three in the same command and a shark will bite you, or your files.

    This is not working for me.

  • For Ubuntu 12.04 Precise: Permanent solution

    to this error message occuring after adding a new repository and updating repository list. This is due to a server which address is no more valid. So just change the address to a good one.

    1. Open the file ~/.gnupg/gpg.conf with a text editor.

      In terminal: gedit ~/.gnupg/gpg.conf

    2. then, in this file, find the following bold line (116th line) (which should be default as follow):

      [...]
      keyserver hkp://keys.gnupg.net
      # keyserver mailto:[email protected]
      # keyserver ldap://keyserver.pgp.com

    3. then add the following bold line, to finally give the following result:

      (add # to the second line as follow to comment out the old address)

      [...]
      keyserver http://keyserver.ubuntu.com
      # keyserver hkp://keys.gnupg.net
      # keyserver mailto:[email protected]
      # keyserver ldap://keyserver.pgp.com

    4. Save the file and try to update again:

      In terminal: sudo apt-get update

  • Based on nelaar answer:

    sudo apt-get update 2>&1 1>/dev/null | sed -ne 's/.*NO_PUBKEY //p' |
    while read key; do
        echo 'Processing key:' "$key"
        sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$key"
    done
    

    The script dumps all the errors into a temporary file and then loops through them, importing the missing keys.

  • The Most Easiest Way Is With Y PPA MAnager

    sudo add-apt-repository ppa:webupd8team/y-ppa-manager
    sudo apt-get update
    sudo apt-get install y-ppa-manager 
    

    Open Y PPA Manager From Dash

    enter image description here

    Enter Your Admin Password

    enter image description here

    Double Click On Advanced Option

    enter image description here

    Click Try To Import All Missing GPG Keys

    enter image description here

    Click Ok To Fix It

  • What worked for me was to delete the key first and then reinstall. To achieve that I did the following:

    [email protected] > ~: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 630239CC130E1A7FD81A27B140976EAF437D05B5
    

    deleting with

    [email protected] > ~: sudo apt-key del 630239CC130E1A7FD81A27B140976EAF437D05B5
    

    Then, re-install by typing

    [email protected] > ~: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 630239CC130E1A7FD81A27B140976EAF437D05B5
    
  • I have encountered the same issue, by adding a ppa(ppa:nathandyer/vocal-stable), it broke my repositories. I was guided from the Author of Web Upd8, on how I can try to fix this, here are his steps that worked me.

    Backup your .gpg keys, just in case that something goes wrong.

    Lets make a folder in which we will house our backup in.

    • mkdir ~/gpg-backups

      This backups all files in the /etc/apt/trusted.gpg.d/ folder.

    • sudo cp /etc/apt/trusted.gpg.d/*.* ~/gpg-backups/

    Now, we will remove all the .gpg keys.

    • sudo rm /etc/apt/trusted.gpg.d/

    • sudo cp /etc/apt/trustdb.gpg ~/gpg-backups/

    • sudo rm /etc/apt/trustdb.gpg

    in Software & Updates, on the "Authentication" tab, clicked "Restore Defaults

    Install y-ppa manager to import all missing GPG keys

    sudo add-apt-repository ppa:webupd8team/y-ppa-manager
    sudo apt-get update
    sudo apt-get install y-ppa-manager
    

    Reference:

    One line seems to contain an error, must be `sudo rm /etc/apt/trusted.gpg.d/*`. Omitting the `*` at the EOL is not possible, as you cannot remove non-empty directories with `rm` when the `-r` option is not specified.-- Ah, and you can kill 2 birds with 1 stone by the line `sudo mv /etc/apt/trustdb.gpg ~/gpg-backups/`. Because if you *move* the file, you need not `rm` the source file afterwards.

  • I wanted to automatically fix errors like this in a bash script. For anyone interested, this should do the trick:

    sudo apt-get update 2> /tmp/keymissing
    if [ -f /tmp/keymissing ]
    then
        for key in $(grep "NO_PUBKEY" /tmp/keymissing |sed "s/.*NO_PUBKEY //")
            do 
            echo -e "\nProcessing key: $key"
            sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $key
            sudo apt-get update
        done
        rm /tmp/keymissing
    fi
    

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM