IT-LINUXMAKER, OpenSource, Tutorials

Fix GPG error “NO_PUBKEY…” with apt (Debian/Ubuntu)

If the following warning 

~# apt-get update

appears when running,

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. 
W: GPG error: example.repo.org stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A2FB21D5A8772835

it means:
The public GPG key used to sign the repository is missing on the current system. APT uses digital signatures to verify the trustworthiness of the source when downloading package lists (index files).
If the matching public key is not present, this verification fails – and APT does not download any packages from there.

To continue installing packages using the APT package manager, you need to download the public keys of the respective repositories to your system. This can be done in two ways.

With apt-key (no longer recommended!)

~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A2FB21D5A8772835

This method is deprecated and no longer recommended on Debian and Ubuntu systems. It poses a security risk due to global trust, as keys added with apt-key end up in a single file, /etc/apt/trusted.gpg. These keys are global to all repositories – meaning that a single compromised key would allow access to all APT sources.

The solution is repository-specific keys

Newer Debian and Ubuntu versions now support /etc/apt/trusted.gpg.d/. Each key is stored in a separate file. This allows these files to be assigned to specific repositories. This allows for better control and separation of trusted sources.

Recommended method for adding GPG keys

Most repositories provide a URL for their public keys, which can be downloaded and converted from ASCII to binary GPG.

This can be done either with

~# wget -qO - example.com/repo.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/repo.gpg > /dev/null

or with

~# curl -fsSL example.com/repo.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/repo.gpg > /dev/null

In each of the two methods, the local APT repository must be read again, which should work this time without any error messages.

~# apt-get update

If the error message persists

If the error message persists, it's very possible that the old key is still present in the /etc/apt/trusted.gpg file. Deleting the key from this file should resolve the issue.

~# apt-key del 32EE5355A6BC6E42
~# apt-get update

However, some packages have their public keys stored elsewhere. In this case, this workflow helps.

~# apt-key list

This lists all used keys and their storage locations. It may also be helpful to look at the respective repository file.

~# cat /etc/apt/sources.list.d/google-chrome.list
deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] dl.google.com/linux/chrome/deb/ stable main

In this case of Google Chrome, the key is located in /usr/share/keyrings/google-chrome.gpg and you just need to adjust the command.

~# curl -fsSL dl.google.com/linux/linux_signing_key.pub | gpg --dearmor | sudo tee /usr/share/keyrings/google-chrome.gpg > /dev/null
~# apt-get update

IT-LINUXMAKER, OpenSource, IT-Support, IT-Consulting

© IT-LINUXMAKER 2025