2

I am using the instructions linked below to setup apt to install sublime-text. I am intentionally applying the method for connecting to third party repositories described on the Debian and Stackexchange pages, using Sublime as an example of a third party repo.

https://www.sublimetext.com/docs/linux_repositories.html

https://wiki.debian.org/DebianRepository/UseThirdParty

How to add a third-party repo. and key in Debian?

However, when running apt update I am getting the following error regarding the encryption key:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454

This is what I am doing:

Download key, convert key from ascii to binary, and move key to shared location:

curl https://download.sublimetext.com/sublimehq-pub.gpg | gpg --dearmor > ~/Downloads/sublime-keyring.gpg
sudo mkdir -vp /usr/local/share/keyrings/
sudo mv -v ~/Downloads/sublime-keyring.gpg /usr/local/share/keyrings/sublime-keyring.gpg
sudo chown -v root:root /usr/local/share/keyrings/sublime-keyring.gpg
sudo chmod -v 0640 /usr/local/share/keyrings/sublime-keyring.gpg

Create source list:

printf "deb [signed-by=/usr/local/share/keyrings/sublime-keyring.gpg] https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list

Set pinning rules to restrict repo usage:

printf "%s\n" "Package: *" "Pin: origin download.sublimetext.com" "Pin-Priority: 1" "" "Package: sublime-text" "Pin: origin download.sublimetext.com" "Pin-Priority: 500" | sudo tee /etc/apt/preferences.d/sublime-text.pref

Then I run sudo apt update which creates the following output regarding sublime text repo:

Get:1 https://download.sublimetext.com apt/stable/ InRelease [2.536 B]                                                                    
Err:1 https://download.sublimetext.com apt/stable/ InRelease                                                                                     
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454

W: GPG error: https://download.sublimetext.com apt/stable/ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454
E: The repository 'https://download.sublimetext.com apt/stable/ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

When I run with debug for gpg, sudo apt -o Debug::Acquire::gpgv=True update, I get a few more details:

Get:1 https://download.sublimetext.com apt/stable/ InRelease [2.536 B]                                                                   
0% [Waiting for headers] [Waiting for headers]inside VerifyGetSigners                                                                    
Preparing to exec:  /usr/bin/apt-key --quiet --readonly --keyring /usr/local/share/keyrings/sublime-keyring.gpg verify --status-fd 3 /tmp/apt.sig.zwA50y /tmp/apt.data.zbzsmw
Read: [GNUPG:] NEWSIG

Read: [GNUPG:] ERRSIG F57D4F59BD3DF454 1 8 01 1627009220 9 -


Got ERRSIG F57D4F59BD3DF454 !
Read: [GNUPG:] NO_PUBKEY F57D4F59BD3DF454


Got NO_PUBKEY F57D4F59BD3DF454 !
gpgv exited with status 2
Summary:
  Good: 
  Valid: 
  Bad: 
  Worthless: 
  SoonWorthless: 
  NoPubKey: NO_PUBKEY F57D4F59BD3DF454
  Signed-By: 
  NODATA: no
Err:1 https://download.sublimetext.com apt/stable/ InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454


W: GPG error: https://download.sublimetext.com apt/stable/ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454
E: The repository 'https://download.sublimetext.com apt/stable/ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I read this to mean that apt is correctly passing on the location of the key I have downloaded. This could mean that gpg can not read the contents of the key. Or maybe the key was somehow mangled in the dearmoring process and no longer has the contents expected. This is pure guessing on my part.

When I inspect the dearmored key, sudo gpg --show-keys /usr/local/share/keyrings/sublime-keyring.gpg, I get the following, which seems plausibly correct:

pub   rsa4096 2017-05-08 [SCEA]
      1EDDE2CDFC025D17F6DA9EC0ADAE6AD28A8F901A
uid                      Sublime HQ Pty Ltd <support@sublimetext.com>
sub   rsa4096 2017-05-08 [S]

The key is readable, although it does not mention F57D4F59BD3DF454.

So what went wrong? How can I get this to function correctly?

tompi
  • 242

3 Answers3

3

I assumed that all processes reading the public key file would have root access. But it turns out likely not to be the case.

Because setting the permissions to 0640 caused the issues I reported, and setting them to 0644 instead resolved the problems.

The updated command should look as follows:

sudo chmod -v 0644 /usr/local/share/keyrings/sublime-keyring.gpg

With this change, I was able to update and install Sublime Text using the process described in the question.

Vlastimil Burián
  • 28,462
tompi
  • 242
-1

I may be missing something, but I do not think you need to do all the steps with gpg. This line installs the key for my systems:

wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -

It is well documented in the first URL you mention.

Sven
  • 109
  • 1
    I have seen this method widely used, had success with it in the past, and it is the one described in the instructions on the first page linked. So I can understand why you are wondering. I will edit my question to clarify that I am applying the method for connecting to third party repositories described on the second and third page I linked to, using the first page as an example of a repo. Since apt will phase out apt-key, I am trying out this method to get an impression of what an alternative to apt-key looks like, what issues can crop up and how to solve them. – tompi Aug 07 '21 at 20:11
  • 1
    Yes, this method is being deprecated and will not be available beyond Ubuntu22.04. See this useful answer: https://askubuntu.com/a/1307181/435863 – ATutorMe Mar 11 '22 at 00:55
  • Piping to sudo apt-key add - is deprecated as mentioned above. Please rephrase if you are still active. – Vlastimil Burián Jun 10 '23 at 07:00
-4

Editor's Note:

This solution is not a proper answer, or a solution at all. Please refrain from using it please!

i have the same problem, the error display is :

Err:2 https://download.sublimetext.com apt/stable/ InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454

the solution is to add [trusted=yes] option at /etc/apt/sources.list.d/sublime-text.list file:

deb [trusted=yes] https://download.sublimetext.com/ apt/stable/

its not really fix problem the "error key" still displayed but i can do apt-get install sublime-text perfectly.

this the messege i have when run apt update:

apt update                                
Get:2 https://download.sublimetext.com apt/stable/ InRelease [2,536 B]                         
Ign:2 https://download.sublimetext.com apt/stable/ InRelease
Get:3 https://download.sublimetext.com apt/stable/ Packages [6,373 B]
Fetched 6,373 B in 3s (2,482 B/s)    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1861 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: GPG error: https://download.sublimetext.com apt/stable/ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F57D4F59BD3DF454
Vlastimil Burián
  • 28,462
recatDev
  • 1
  • You could have described your inner intentions better. But as it stands, it is plain wrong method around the issue. – Vlastimil Burián Jun 10 '23 at 06:56
  • 2
    You should absolutely not just add "trusted=yes". Without correct key management and pinning, you are opening up to let third party repos potentially overwrite any package on your system. This is obviously unsafe. The motivation for my original question was to understand a safer way of accessing third party repos. Please don't access third party repos like this. – tompi Jun 11 '23 at 09:46