Unable to add gpg key with apt-key behind a proxy

Question

Adding a gpg key via apt-key systematically fails since I've switched to Ubuntu 17.04 (I doubt it's directly related though). Example with Spotify's repo key:

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886
Executing: /tmp/apt-key-gpghome.wRE6z9GBF8/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886
gpg: keyserver receive failed: No keyserver available

Same thing if I remove the hkp:// prefix.

Context: I use CNTLM to cope with the local corporate proxy. Env variables are set (in /etc/environment):

$ env | grep 3128
https_proxy=http://localhost:3128
http_proxy=http://localhost:3128
ftp_proxy=http://localhost:3128

/etc/apt/apt.conf is configured (apt commands are working fine):

$ cat /etc/apt/apt.conf
Acquire::http::Proxy "http://localhost:3128";
Acquire::https::Proxy "http://localhost:3128";
Acquire::ftp::Proxy "http://localhost:3128";

Finally, the specified keyserver seems reachable:

$ curl keyserver.ubuntu.com:80
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>SKS OpenPGP Public Key Server</title>
  </head>
  <body>
  [...]

What can I do ? I'm not even sure on how to further debug it...

Things I already tried to do, without any result:

run sudo with -E (preserve env) option
run apt-key adv with --keyserver-options http-proxy=http://localhost:3128/ option (source)
run $ gpg --list-keys for some reason (source)
use another keyserver (--keyserver pgp.mit.edu)
remove the hkp:// part (--keyserver keyserver.ubuntu.com:80)

Weird thing is that I never see any "cntlm" entry in /var/log/syslog when running apt-key.

What happens when you try to access http://keyserver.ubuntu.com/ in your browser? — dirkt, May 10 '17 at 06:29
I've got the web page (same as the one shown in curl's output above) — Anto, May 10 '17 at 10:57
https://unix.stackexchange.com/questions/75892/keyserver-timed-out-when-trying-to-add-a-gpg-public-key — 0andriy, Jan 13 '22 at 17:39

Rui F Ribeiro · Accepted Answer · 2018-09-25T11:57:36.807

You usually have a proxy for ftp, http and https; I am seeing there hkp:// as an URL; so it should not be directed via a pure http proxy, hence failing the communication.

Use this instead:

sudo apt-key adv --keyserver keyserver.ubuntu.com --keyserver-options http-proxy=http://localhost:3128 --recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886

As for the system updates, I would advise using an APT proxy, for instance, apt-cacher-ng.

Another way of doing it, is searching in the public web interface, with a browser, for instance on your working station for the key you want at https://keyserver.ubuntu.com

Open the site, and you got a form. In this case I used the "Search String" "Spotify"; then select "Search" ; it will list several keys.

Searching for the signature/fingerprint that you mentioned in the result page:

pub  4096R/D2C19886 2015-05-28            
     Fingerprint=BBEB DCB3 18AD 50EC 6865  0906 13B0 0F1F D2C1 9886 

uid Spotify Public Repository Signing Key <operations@spotify.com>
sig  sig3  D2C19886 2015-05-29 __________ 2017-11-22 [selfsig]
sig  sig   94558F59 2015-06-02 __________ __________ Spotify Public Repository Signing Key <operations@spotify.com>

We see this is the entry that interests us.

So we click in D2C19886 and are presented with a page with the key at https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x13B00F1FD2C19886.

Public Key Server -- Get "0x13b00f1fd2c19886 "

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keyserver.ubuntu.com

mQINBFVm7dMBEADGcdfhx/pjGtiVhsyXH4r8TrFgsGyHEsOWaYeU2JL1tEi+YI1qjpExb2Te
TReDTiGEFFMWgPTS0y5HQGm+2P3XGv0pShvgg9A6FWZmZmT+tymA2zvNrdpmKdhScZ52StPL
Fz9wsmXHG4DIKVuzgzuV4YxJ1i2wFtoVp8zT9ORu1BxLZ0IBwTvLRbaQGZ8DwXVAHak9cK91
Ujj6gJ1MJPohZLHH2BjrOjEl/I36jFUjK0AadznNzo08lLAi94qjtheJtuJD3IEOAlCkaknz
6vbEFpszLGlLD7GENMzJk46ObuJuvW5R2PkOU2U8jS0GaUD9Ou/SIdJ6vIdvjSs/ettc2wwd
nbSdadvjovIfvEBRsEVMpRG+42B+DZpJbS9pCb8sxTJtnUy1YViZmG0++FhPGGPGzQYhC/Mz
07lsx5PkC7Kka2FCNmhauxw5deO43Ck181oQVdbt/VxmChzchUJ6N6/uOV5JKm7B9UnDNyqU
Yv6goeLvFnT9ag+FCxiroTrq+dINr6d+XT/cI9WtSagfmhcekwhyfcCgYsFemAOckRifjEGF
MksQlnWkGwWNoKe91KBxjgaJaazSbZRk0dFPSSmfKWaxuTwkR74pbaueyijnQJgHAjfCyzQe
9miN9DitON5l6T2gVAN3Jn1QQmV7tt5GB7amcHf5/b0oYmmRPQARAQABtD5TcG90aWZ5IFB1
YmxpYyBSZXBvc2l0b3J5IFNpZ25pbmcgS2V5IDxvcGVyYXRpb25zQHNwb3RpZnkuY29tPokB
HAQQAQIABgUCVW3SWAAKCRAILM7flFWPWUk5B/wOqqD9/2Do9PyPucfUs/rrP4+M8iJLpv8U
+bX/qHryTTWfpk3YuKL4+c8saHySK4HLGyxd3mdo1XMF351KrxLQvWMSSPbIRV9cSqZROOVn
2ya+3xpWk6t1omLzxtBBMOC4B5qAfWhog7ioAmzQNY5NUz5mqXVP5WbgR/G+GOszzuQUgeu1
Xxxzir3JqWQ0g8mp3EtX7dB76zxkkuTYbeVDPOvtJPn/38d3oSLUI1QJnL8pjREHeE8fO5mW
ncJmyZNhkYd+rfnPk+W0ZkTr59QBIEOGMTmATtNh+x1mo5e2dW91Oj4jEWipMUouLGqbo/gJ
uHFMt8RWBmy+zFYUEPYHiQI+BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUC
VWg3sAUJBK3QLQAKCRATsA8f0sGYhl6hEACJ1CrYjaflKKR2Znuh0g0gM89NAwO8AA4+SpkW
HagdGLo7OV/rGB3mlwD4mhaa8CbEnBT/za3jFnT19KsYQWiT21oOX/eo47ITbAspjDZTiXLi
nyAcOJn+q/EFkelROzbVaxZHi6SN5kCEd8KAew8h2jZf8wWqaYVyMPNSqotUhin6YjWsu57B
GixVThoMmxx3udsGAiYqt8buAANWbkUphrvtJuNCKkGym7psnS4Q5EnHPfvbYii9iAfBswX6
nZQlehva7aToN73elYL3opCArAxKAFx70bpGxb7T16KjKzkKS0a4iQ7xdbBGylb+AE/RhICa
+RM5tma2YnB3pZvFM/n0BNeYReCgvxkl1rqrB1KxmFHfGqjLkb2YAZ5RYnP3gEt+nbEWxL8F
O0Bhakn1RB3NqTC2oiQAUfh+66yUawUNkHRHlGAEzZAxvpfnf0hSJp734lyQZJs+zqXUAXa2
UmEZ6se62PgZRQIz5IbAVxSiGz4xIZs1yS36N2vZ34LFJa9o/HVk5OfpqZM0zjWwQIQN2b4O
BizL5r4h2Mi5BHUEyYMsDZn+txoJjPPYLolRlf31sqi5MJE+cbOAXSn8PC9k4i+hrbfqFzts
47+6xgCH3aXbhUkJh1CH/0/qEXfTPYTyayijm4rdvSBczzEORWGT5E38oV9h1eUqp4nVPg==
=/qip
-----END PGP PUBLIC KEY BLOCK-----

You cut between the line that begins with "-----BEGIN" and the line ending with "-----END", including those lines, and paste to a file, say spotify.pgp on the intended server you want to import that key. (do not cut it from here, as I added 4 spaces before each line while formatting)

Finally to import the key into the server you do:

$sudo apt-key add spotify.pgp
OK

Hello Rui, indeed this "manual" method works and that's how I "temporarily" solved it in the meantime. Apparently this temporary solution is not gonna stay temporary :( But thanks a lot anyway. — Anto, May 29 '17 at 09:26
--keyserver-options http-proxy=http://myproxy:123 did the trick! — wisbucky, Feb 05 '20 at 22:19
newer versions of gnupg ignore the http-proxy option, relegating it to dirmngr — fuzzyTew, Jul 17 '20 at 09:30

Dan Anderson · Answer 2 · 2019-05-17T16:01:19.380

26

Here is a solution that uses http via curl instead of trying to proxy apt-key or gpg:

curl -sSL \
'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xBBEBDCB318AD50EC6865090613B00F1FD2C19886' \
| sudo apt-key add -

This method should be used instead of apt-key command line or http_proxy or https_proxy environment variables settings (which are disabled in the newest versions of apt-key).

edited May 17 '19 at 16:01

answered Mar 20 '19 at 23:34

Dan Anderson

1,121

2

Thank you so much for this elegant solution to a long lasting error. – user1612798 Dec 08 '20 at 21:35
3

The only one working for me. Maybe I wil put there additional rambling that developerst this days bild infrastructure on ver high level of abstracton and requiring from administrator tools which are equivalent to asembler snippets in developers screwed world... – kakaz Jan 14 '21 at 07:59
1

Thanks a lot. For anyone using this - mind the '0x' prepended to the key, it is crucial to find the key using the web api of keyserver.ubuntu.com, without it I kept getting "Not Found". – Yuri Feldman Mar 10 '22 at 11:29

score 0 · Answer 3 · edited Mar 10 '20 at 10:47

0

I just add http:// before keyserver.ubuntu.com and it's working for me :

# apt-key adv --keyserver http://keyserver.ubuntu.com

edited Mar 10 '20 at 10:47

Paulo Tomé

3,782

answered Mar 10 '20 at 10:40

J D

9

Welcome to the site. Please note that your answer contains the same solution as mentioned by @wisbucky in this comment, so it would be appropriate to address that in your post. – AdminBee Mar 10 '20 at 11:04

score -3 · Answer 4 · answered Oct 14 '18 at 05:04

-3

you can specify the keyserver as a parameter to add-apt-repository by:

sudo add-apt-repository --keyserver hkps://keyserver.ubuntu.com:443 some_ppa

Outgoing port 443 would not be blocked by the corporate firewall.

answered Oct 14 '18 at 05:04

Thien Pham

1

Why? It's blocked on all my networks by default. – cprn Nov 21 '18 at 10:53
This answer wont work, the challenge of the question is that the access is centrally firewalled. – Rui F Ribeiro Dec 19 '18 at 11:33

Unable to add gpg key with apt-key behind a proxy

4 Answers4

Linked