"no public key available" on apt-get update

Question

When performing apt-get update, I get the following error:

root@ADS3-Debian6:/home/aluno# apt-get update
Atingido http://sft.if.usp.br squeeze Release.gpg
Ign http://sft.if.usp.br/debian/ squeeze/contrib Translation-en
Ign http://sft.if.usp.br/debian/ squeeze/contrib Translation-pt
Ign http://sft.if.usp.br/debian/ squeeze/contrib Translation-pt_BR

(...)

Obter:10 http://security.debian.org squeeze/updates/non-free i386 Packages [14 B]
Baixados 612 kB em 4s (125 kB/s)                    
Lendo listas de pacotes... Pronto
There is no public key available for the following key IDs: 8B48AD6246925553

... and that string you elided is an important bit. It'd let us identify which keys you're missing (assuming installing the keyring packages—preferably from trusted media—that ruda suggested doesn't help) — derobert, May 14 '13 at 17:43

score 232 · Accepted Answer · edited Oct 14 '18 at 14:02

232

The other answers will work, or not, depending on whether or not the key '8B48AD6246925553' is present in the packages they indicate.

If you need a key, you have to get that key, and where to find it, it's in a key server (very probably any key server will do):

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553

edited Oct 14 '18 at 14:02

answered May 26 '15 at 19:10

mariotomo

2,745

This worked for me too and not other answers here.. – Sai Kiran Apr 28 '16 at 04:54
10

Is there any way to determine if the received key is leggit such that I can do such a dangerous operation like adding global apt-trust to some arbitrary key? Is there any way to check the credibility of the key after it was received? Which are the steps to perform to do the key verification? For example, the only thing you have is https://ftp-master.debian.org/keys/ziyi_key_2002.asc so how do you get to the most current key without breaking the trust chain? – Tino May 13 '16 at 09:22
Good answer that worked for Debian 7 (Wheezy). I was getting an error similar to the OP's, except the key was 1397BC53640DB551. I tried using what I thought was a Debian key server (keyring.debian.org) with no joy. The keyserver.ubuntu.com key server worked a treat! – Digger Aug 03 '16 at 18:12
Why bother with adding a key, if I can just add APT::Get::AllowUnauthenticated "true"; to /etc/apt/apt.conf.d/? For those who don't want to give up on key checks, see the other answer. – x-yuri Jul 08 '19 at 18:24
FYI the key you mention in this answer expired yesterday. – Frank Bryce Apr 27 '20 at 02:17
@FrankBryce so the answer of mario does not count anymore? – Timo Apr 25 '21 at 14:10
This didn't work for me, still got 'No keyserver available'. I had to use the full URL, i.e., hkp://keyserver.ubuntu.com:80 – jcomeau_ictx Jan 23 '23 at 00:36

That Brazilian Guy · Answer 2 · 2021-01-26T20:42:35.283

79

I recommend that you follow @mariotomo's answer rather than the steps below!

According to There is no public key available for the following key ID, this will fix it:

sudo aptitude install debian-archive-keyring

References

Debian Public Keys Error 2

edited Jan 26 '21 at 20:42

answered May 14 '13 at 17:39

That Brazilian Guy

4,513

The last 8 hex digits are shared with this, so it's probably complaining about wheezy. Unfortunate of the OP to have elided that: pub 4096R/46925553 2012-04-27 [expires: 2020-04-25] uid Debian Archive Automatic Signing Key (7.0/wheezy) ftpmaster@debian.org – Martin Dorey Jun 02 '13 at 00:56
5

Is debian-keyring really needed? It worked out for me with just debian-archive-keyring. – x-yuri Oct 05 '15 at 15:24
Not surprisingly, different hex numbers may require different solutions. I put quotation marks around the number in my Google search, to force a verbatim search for that number, and I landed at this page, which fixed my problem: https://www.reddit.com/r/linux4noobs/comments/4grdo7/an_error_occurred_w_there_is_no_public_key/ (@mariotomo's answer may have worked too—I didn't try) – Michael Scheper Apr 30 '16 at 13:29
debian-keyring is not needed. – x-yuri Oct 04 '19 at 14:47

score 48 · Answer 3 · edited Feb 02 '19 at 12:25

48

I recommend:

$ sudo apt-get install debian-archive-keyring
$ sudo apt-key update

This is better than other approaches because it does not install debian-keyring, which is big and 99% of the time unnecessary.

edited Feb 02 '19 at 12:25

GAD3R

66,769

answered Jun 12 '15 at 14:54

Greg Alexander

580

1

This was all I needed - worked great for me! – harperville Nov 20 '15 at 19:53
Work like a charm ! – Wilbeibi Jul 20 '17 at 23:37
1

This was the better solution for me as it fits in with a Docker container better. However note that (at least in Docker) you have to install only this package first, then do a second apt-get update, then install the packages you really want. – Malvineous Oct 06 '17 at 03:40
3

Debian 10: Warning: 'apt-key update' is deprecated and should not be used anymore! Note: In your distribution this command is a no-op and can therefore be removed safely – ᴍᴇʜᴏᴠ Sep 30 '19 at 12:39
2

In fact, you may need to install debian-archive-keyring even if you have debian-keyring installed on its latest version – Ángel Oct 04 '19 at 22:53

score 19 · Answer 4 · answered Apr 28 '16 at 10:42

19

The error There is no public key available for the following key IDs indicates a serious security issue: an operating-system package cannot be checked for integrity with its public key, because its public key is missing.

If the message were:

There is no public key available for the following key IDs: 1397BC53640DB551

You can use this command to find out which repository uses the key:

for n in `ls /var/lib/apt/lists/*gpg`; do echo "$n" ; gpg --list-packets "$n" | grep 1397BC53640DB551; done

Which in this example is the Google's repository for Chrome:

/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg

If you trust Google, its government, etc., you should find out where the key is and add it with:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | apt-key add -

answered Apr 28 '16 at 10:42

Ivan Ogai

416
4
4

1

Fixed for me :) Thank you! But just curious, what was wrong? What does the first command do, and what does the second one do? Should this solve all problems? My issue was also with Google Chrome. – Rohan May 02 '16 at 02:33
And does the first command change anything with gpg? It says it created some conf file gpg.conf, and I do not know if I want that. – Rohan May 02 '16 at 02:39
1

The first does search for the key in your list of packets to see the offending packet. The second one downloads the key and add it to your system. The first command is not useful in this case, but it's good as a general approach. – Marco Sulla May 10 '16 at 22:04

score 5 · Answer 5 · answered Jun 29 '16 at 09:16

I faced the same problem in Linux Mint (Kernel Version 3.13.0-24) and I was able to solve it using the commands :

gpg --recv-keys <the-reported-key>

gpg --export <the-reported-key> | apt-key add -

Points to be noted:

1) The commands were executed in order 2) The commands were exectued as root user

Courtesy this answer.

score 1 · Answer 6 · answered Apr 29 '16 at 00:36

My answer is a slight upgrade (IMHO, YMMV) on @mariotomo (who I upvoted) in the following bash scriptlet

also uses gpg
parameterizes more
(also uses a different keyserver, though in this case I suspect it makes little difference)

You can also comment-out the eval line for a "dry-run": the scriptlet will then only show you what it intends to do, without actually doing it. Just be sure to change the value of NO_PUBKEY every time you use this (you can also change KEYSERVER as desired):

NO_PUBKEY='1397BC53640DB551' # CHANGE TO THE VALUE CITED IN YOUR ERROR MESSAGE!
KEYSERVER='keys.gnupg.net'

NO_PUBKEY_LEN="${#NO_PUBKEY}"
echo "NO_PUBKEY_LEN='${NO_PUBKEY_LEN}'"     # for sanity or debugging
# note following works because bash arrays have 0-based indices
NO_PUBKEY_2ND_HALF_START=$(( NO_PUBKEY_LEN/2 ))
echo "NO_PUBKEY_2ND_HALF_START='${NO_PUBKEY_2ND_HALF_START}'" # ditto
NO_PUBKEY_2ND_HALF="${NO_PUBKEY:${NO_PUBKEY_2ND_HALF_START}}"
echo "NO_PUBKEY_2ND_HALF='${NO_PUBKEY_2ND_HALF}'"             # ditto

for CMD in \
  'date' \
  "gpg --keyserver ${KEYSERVER} --recv-keys ${NO_PUBKEY_2ND_HALF}" \
  'date' \
  "gpg -a --export ${NO_PUBKEY_2ND_HALF} | sudo apt-key add -" \
; do
  echo -e "${CMD}"
  eval "${CMD}"
done

score 1 · Answer 7 · edited Jun 11 '19 at 07:18

Run killall -q gpg-agent if the other solutions do not work. It may work.

I was getting a similar error for a PPA repository on Ubuntu 18.04 and after trying various solutions on the internet for the last month, I just stumbled on the gpg-agent and killed it. Then the PPA repositries started to update on doing sudo apt-get update. I know it may compromise security, but sometimes you need a package from a PPA, and GPG just doesn't let you. Later, you start the gpg-agent again, and things go back to normal.

Nicolás Gómez · Answer 8 · 2024-02-03T00:51:32.687

Most answer here use:

sudo apt-key update

Which is now deprecated due to security issues, cause addding a key directly to /etc/apt/trusted.gpg.d is considered insecure because it trusts the key for all repositories, including official ones.

Here's a simplified version of what you can do:

Create a Keyring Directory: Start by creating a directory for storing PGP keys. You can do this with the following command:
```
sudo mkdir -m 0755 -p /etc/apt/keyrings/
```

Download and Store the Key: download the key from the specified URL and save it in the keyring directory. Use this command:

wget -O- https://example.com/EXAMPLE.gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
sudo chmod 644 /etc/apt/keyrings/EXAMPLE.gpg

Update the Source List File: Now, you need to update the source list file to reference the key you just added. Locate the appropriate file in /etc/apt/sources.list.d/ and edit it to include the following line:
```
deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
```
Optional Key Removal: If a key was previously added using apt-key, it can be removed. You can list all keys with sudo apt-key list and remove the desired key using sudo apt-key del <key_id>, it works despite apt-key is deprecated.

This approach enhances security by isolating keys to specific repositories, reducing the risk of unauthorized modifications.

I simplified it, if you want further reference, there you gohere.

score 0 · Answer 9 · edited Dec 06 '14 at 02:58

0

As an alternative:

$ sudo apt-get install debian-keyring debian-archive-keyring
$ sudo apt-key update

edited Dec 06 '14 at 02:58

slm

369,824

answered Dec 06 '14 at 02:17

abdiansah.wordpress.com

19
1

6

Please don't advertise your blog in your answers. That's what your bio is for. – slm Dec 06 '14 at 02:58

score -1 · Answer 10 · answered May 05 '20 at 08:39

I just ran into this issue while trying to update a desktop box with a horrible case of laziness-induced installation cobwebs, and fixed it by using my web browser to save the latest available version of the debian-archive-keyring package from https://packages.debian.org/sid/debian-archive-keyring into /tmp, then hand-installing it with dpkg -i /tmp/debian-archive-keyring*.deb.

This procedure is very simple, not subject to tampering via MITM attacks, and the download and installation steps can be done on separate machines if the target machine's cobwebs are bad enough to require that.

score -2 · Answer 11 · edited Jun 11 '20 at 14:16

-2

This worked for me:

Quick remedy:

sudo rm -f /etc/apt/trusted.gpg

(Source)

edited Jun 11 '20 at 14:16

Community

1

answered Jul 20 '17 at 21:31

Jakob

1

"no public key available" on apt-get update

11 Answers11

I recommend that you follow @mariotomo's answer rather than the steps below!

References

Linked

Related