619

I added some extra repositories with the Software Sources program. But when I reload the package database, I get an error like the following:

W: GPG error: http://ppa.launchpad.net trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8BAF9A6F

I know I can fix it using apt-key in a terminal, according to the official Ubuntu documentation. But I would have liked to do it graphically. Is there a way to do this without using a terminal?

8
  • 1
    Related: askubuntu.com/q/127326/178596
    – Wilf
    Commented Jul 19, 2015 at 20:46
  • 'A mean'? Curious what you meant by that. Commented Sep 13, 2016 at 16:17
  • 1
    You can check this SO thread for solution. Link to related site Commented Oct 6, 2016 at 3:44
  • @MichaelScheper 'Is there a mean[s] to not to open a terminal?' =~ 'Is there a way to do it without a terminal?'
    – Wilf
    Commented Jul 26, 2017 at 0:26
  • @Wilf: Oh! I don't mean to nitpick grammar, but it did confuse me. From the reference I just checked, 'means' is a singular noun, and the one you meant. dictionary.cambridge.org/dictionary/english/means But if you and Agmentor are using some variant form of English where the grammar in the question is correct, I'd love to see a reference to it, just because I'm interested in that sort of thing. ☺ Commented Jul 26, 2017 at 17:35

15 Answers 15

923

This answer was valid for Ubuntu 20.04 and previous versions. For Ubuntu 20.10 and later versions, see this answer on StackOverflow.

The short version is:

sudo mkdir -m 0755 -p /etc/apt/keyrings/ 

wget -O- https://example.com/EXAMPLE.gpg |
    gpg --dearmor |
    sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
    sudo chmod 644 /etc/apt/keyrings/EXAMPLE.gpg

echo "deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |
    sudo tee /etc/apt/sources.list.d/EXAMPLE.list
    sudo chmod 644 /etc/apt/sources.list.d/EXAMPLE.list

# Optional (you can find the email address / ID using 'apt-key list')
sudo apt-key del [email protected]

Original answer:

Execute the following commands in terminal

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <PUBKEY>

where <PUBKEY> is your missing public key for repository, e.g. 8BAF9A6F.

Then update

sudo apt-get update

ALTERNATE METHOD:

sudo gpg --keyserver pgpkeys.mit.edu --recv-key  <PUBKEY>
sudo gpg -a --export <PUBKEY> | sudo apt-key add -
sudo apt-get update

Note that when you import a key like this using apt-key you are telling the system that you trust the key you're importing to sign software your system will be using. Do not do this unless you're sure the key is really the key of the package distributor.

19
  • 16
    You can simply pass NO_PUBKEY value as keys parameter. for example GPG error[...]NO_PUBKEY 3766223989993A70 => sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3766223989993A70 Commented Feb 19, 2014 at 19:40
  • 34
    8BAF9A6F <-- where did you get that number? Commented Mar 9, 2014 at 12:49
  • 18
    The number 8BAF9... is what you see in the original error. It would be something like NO_PUBKEY 8BAF...
    – Alex
    Commented Oct 10, 2014 at 19:56
  • 14
    If someone tampered with data between me and the repository, and substituted stuff they'd signed, this would wind up with me just adding the key they used, more or less blindly. So what's the process to verify that the key is the right one?
    – mc0e
    Commented May 20, 2015 at 15:37
  • 9
    State on 2022.08.28 on jammy: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
    – s.k
    Commented Aug 28, 2022 at 8:39
261

By far the simplest way to handle this now is with Y-PPA-Manager (which now integrates the launchpad-getkeys script with a graphical interface).

  1. To install it, first add the webupd8 repository for this program:

    sudo add-apt-repository ppa:webupd8team/y-ppa-manager
    
  2. Update your software list and install Y-PPA-Manager:

    sudo apt-get update
    sudo apt-get install y-ppa-manager
    
  3. Run y-ppa-manager (i.e. type y-ppa-manager then press enter key).

  4. When the main y-ppa-manager window appears, click on "Advanced."

  5. From the list of advanced tasks, select "Try to import all missing GPG keys" and click OK.

    You're done! As the warning dialog says when you start the operation, it may take quite a while (about 2 minutes for me) depending on how many PPA's you have and the speed of your connection.

18
  • 44
    Not really useful in a webserver, as this installs X11. Don't use this method if you're on a server edition, check karthick87's answer! Commented Feb 11, 2016 at 20:13
  • 2
    Does this allow to verify the keys which are imported, or are you simply blindly importing everything (and therefore trusting everyone who has a PPA)? Commented Sep 6, 2016 at 10:36
  • 3
    You're importing (and trusting) the keys for every PPA you've added to your system. The assumption is that you trust those PPA's and have checked them out before you added them via apt.
    – monotasker
    Commented Sep 6, 2016 at 14:25
  • 7
    This answer is easier by far, and actually requires fewer commands than this "graphical" answer.
    – jpaugh
    Commented Jul 27, 2017 at 19:37
  • 2
    But the question asked for a graphical method.
    – monotasker
    Commented Jul 28, 2017 at 22:30
95

It happens when you don't have a suitable public key for a repository.

To solve this problem use this command:

gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv 9BDB3D89CE49EC21

which retrieves the key from ubuntu key server. And then this:

gpg --export --armor 9BDB3D89CE49EC21 | sudo apt-key add -

which adds the key to apt trusted keys.

The solution can be found here & here & here.

7
  • 5
    If the hkp://keyserver.ubuntu.com is not working use this pgpkeys.mit.edu server. Commented Oct 30, 2013 at 10:06
  • 2
    This answer solved my issue with Kylin repository. The sogou pinyin input method added source to my /etc/apt/sources.list.d/ folder, but apparently didn't import gpg key. Good answer , simple and to the point, +1 ! Commented Aug 8, 2016 at 17:09
  • 1
    Thanks! Worked for me to solve php repository issue. Commented Dec 17, 2017 at 17:31
  • 1
    This answer solved my update for http://ppa.launchpad.net/webupd8team/java/ubuntu xenial InRelease
    – mvw
    Commented Feb 21, 2018 at 9:21
  • 2
    Warning: apt-key is deprecated Commented Feb 15, 2023 at 13:27
39

You need to get and import the key.

To get the key from a PPA, visit the PPA's Launchpad page. On every PPA page at Launchpad you will find this link (2), after clicking on 'Technical details about this PPA' (1):

image 1

Follow it and click on the key ID link (3):

image 2

Save the page, this is your key file.


Now it's time to import it:

  • Applications > Software Center,
  • Edit > Software sources...,
  • Enter your password,
  • Go to the Authentication tab and click on Import Key File..., finally
  • Select the saved key file and click on OK.
5
  • 1
    Don't lost your time, see the answer bellow.
    – Felipe
    Commented Oct 17, 2011 at 9:06
  • 5
    @FelipeMicaroniLalli, the question was how to add a pubkey using the GUI, not the terminal, so this answer was perfect. Commented Jul 30, 2013 at 14:24
  • It's much easier and faster now to do this with y-ppa-manager (also a gui application). See my answer below.
    – monotasker
    Commented Dec 4, 2013 at 15:53
  • 1
    OK, but what if the repository is not an ubuntu ppa. E.g. Intel run their own repository for video hardware drivers at download.01.org
    – mc0e
    Commented May 20, 2015 at 15:39
  • Great step-by-step guide, thanks very much! really helpful for some one who failed to add key via apt-key.
    – Roy Ling
    Commented Nov 10, 2015 at 1:35
22

note: As of recent versions, it is no longer considered good practice to add PPA keys to the keyring. However, I will leave this answer but apt-key is now deprecated so it is recommended we follow different methods for now.

apt can only handle 40 keys in /etc/apt/trusted.gpg.d . 41 keys and you will get the GPG error "no public key found" even if you go through all the steps to add the missing key(s).

Check to see if there are any unused keys in this file from ppa(s) you no longer use. If all are in use, consider removing some ppa(s) along with the corresponding keyfiles in /etc/apt/trusted.gpg.d

Furthermore, using

sudo apt-key adv

Is considered a security risk and is not recommended as you are "undermining the whole security concept as this is not a secure way of recieving keys for various reasons (like: hkp is a plaintext protocol, short and even long keyids can be forged, …)". http://ubuntuforums.org/showthread.php?t=2195579

I believe the correct way to add missing keys (for example 1ABC2D34EF56GH78) is

gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv 1ABC2D34EF56GH78
gpg --export --armor 1ABC2D34EF56GH78 | sudo apt-key add -
15
  • 1
    I found it easier to just delete all keys from /etc/apt/trusted.gpg.d and then proceed to accepted answer askubuntu.com/a/386003/284664
    – janot
    Commented Feb 8, 2015 at 18:22
  • 1
    @SebMa no wiki.debian.org/SecureApt
    – mchid
    Commented Mar 27, 2019 at 15:20
  • 3
    Warning: apt-key is deprecated Commented Feb 15, 2023 at 13:28
  • 2
    @DanielAndrzejewski Yes, thank you. I will have to update the answer later. In the meantime, you can follow these instructions as an alternative method of adding a key for a repository. Also, if you do use this other method, remember to delete the corresponding key from your keyring so that the key only applies to the single repository. The reason it is depreciated is because adding the key to your keyring applies the key to all repositories. Adding the key to a single repo in one of your sources.list files only applies to the single repository.
    – mchid
    Commented Feb 17, 2023 at 3:35
  • 1
    @mchid my problem was related to docker-ce and containerd.io packages. Docker-ce was the latest but containerd.io package was version locked to some version not fully compatible with the latest docker-ce. When I removed versionlock and updated containerd.io package the problem got fixed. Commented Mar 1, 2023 at 15:02
13

There is a tiny script packaged in the WebUpd8 PPA which I'll link as a single .deb download so you don't have to add the whole PPA - which automatically imports all missing GPG keys.

Download and install Launchpad-getkeys (ignore the ~natty in its version, it works with all Ubuntu versions from Karmic all the way to Oneiric). Once installed, open a terminal and type:

sudo launchpad-getkeys

If you're behind a proxy, things are a bit more complicated so see this for more info

2
  • 1
    It is indeed the way I do now, since I saw this program presented on your website. Nevertheless, the aim of the question was to know how to do it in a graphical way.
    – Agmenor
    Commented Jun 5, 2011 at 22:34
  • The launchpad-getkeys script is now integrated into the program Y-PPA-manager. launchpad.net/~webupd8team/+archive/y-ppa-manager
    – monotasker
    Commented Dec 4, 2013 at 15:41
8

This error can also occur when the apt list file by the PPA points to a local keyring, like

deb [signed-by=/usr/share/keyrings/SOMETHING.gpg] https://download.something.org/something something/

And while that file may exist on your system (possibly downloaded with a prior command), it may be unreadable due to missing permissions. I just fixed this kind of error by running

chmod 644 /usr/share/keyrings/*

after having fetched the keyring file. The underlying issue was the usage of sudo when I already was root user. Really weird as all of this is root anyway and there was no access permission failure message anywhere... but that fixed it

2
  • 1
    This was also the reason why it wouldn't work for me. The GPG key instructions from Hashicorp do not work on my Ubuntu because the permissions were not set correctly. After chmod, apt finally could read the file.
    – Jodiug
    Commented Jan 18, 2023 at 12:26
  • I had a similar issue where the keyrings directory had incorrect permissions. I fixed it by running sudo chmod 755 /etc/apt/keyrings.
    – Minding
    Commented Oct 29, 2023 at 10:08
6

I faced the same issue while installing Heroku. The link below solved my problem -

http://naveenubuntu.blogspot.in/2011/08/fixing-gpg-keys-in-ubuntu.html

After fixing the NO_PUBKEY issue, the below issue remained

W: GPG error: xhttp://toolbelt.heroku.com ./ Release: The following signatures were invalid: BADSIG C927EBE00F1B0520 Heroku Release Engineering <[email protected]>

To fix it I executed the following commands in terminal:

sudo -i  
apt-get clean  
cd /var/lib/apt  
mv lists lists.old  
mkdir -p lists/partial  
apt-get clean  
apt-get update  

Source - Link to solve it

1
  • I'm still getting same error, GPG error: http://download.opensuse.org/repositories/home:/colomboem/xUbuntu_16.04 Release: The following signatures were invalid: Commented Apr 13, 2020 at 8:58
6

Make sure you have apt-transport-https installed:

dpkg -s apt-transport-https > /dev/null || bash -c "sudo apt-get update; 
sudo apt-get install apt-transport-https -y" 

Add repository:

curl https://repo.skype.com/data/SKYPE-GPG-KEY | sudo apt-key add - 
echo "deb [arch=amd64] https://repo.skype.com/deb stable main" | sudo tee /etc/apt/sources.list.d/skype-stable.list 

Install Skype for Linux:

sudo apt-get update 
sudo apt-get install skypeforlinux -y

Source: https://community.skype.com/t5/Linux/Skype-for-Linux-Beta-signatures-couldn-t-be-verified-because-the/td-p/4645756

5

More generally, the following method should work for every repository. First of all search, with eventual help of a search engine, for a text on the program provider's website looking like the following:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)
[...]
-----END PGP PUBLIC KEY BLOCK-----

Such a text is for example displayed on http://deb.opera.com. Copy the passage, paste it in an empty file that you create on your desktop. This results in the key file.

Then continue with the importation of the key:

  • Applications > Sofware Center
  • Edit > Sofware sources..., enter password
  • Authentication tab, click on 'Import Key File...'
  • Select the saved key file and click on 'Ok'.

You may now remove the previously created key file.

0
2

Updated version (Ubuntu 22.04 LTS)

Because apt-key is deprecated now, and you want to use /etc/apt/trusted.gpg.d/, you can use

sudo gpg --keyserver pgpkeys.mit.edu --recv-key <PUBKEY>
sudo mkdir -p /etc/apt/keyrings/
sudo gpg -a --export <PUBKEY> /etc/apt/keyrings/<your-keyfile-name>.gpg
# now go to your /etc/apt/sources.list.d/<source definition list file>, and 
# add [signed-by=/etc/apt/keyrings/<your-keyfile-name>.gpg] between deb and url like this:
# deb <add here> https://...

<PUBKEY> is the 8 character fingerprint like 210976F2 and <target name> is a name of your choice by which you will know that key.

EDIT: Updated for more security, taken from a lengthy answer

1
2

Good! I finally found the way!

I've tested all methods to fix GPG error NO_PUBKEY and nothing worked for me.

I've deleted the entire contents of the folder /etc/apt/trusted.gpg.d

cd /etc/apt/trusted.gpg.d
sudo rm -R *
sudo apt-get update

And I use the Y-PPA-Manager method because I'm too lazy to create all pubkey's manually (too many): http://www.unixmen.com/fix-w-gpg-error-no_pubkey-ubuntu/

run sudo apt-get update again and finally everything works great now! Thanks!

Based Source : post #17 on https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1263540

4
  • This was the only thing that worked for me too. Presumably a corrupted keyfile somewhere?
    – donnek
    Commented Apr 3, 2018 at 7:33
  • this even raises more errors. Not good ans
    – NMukama
    Commented Aug 29, 2021 at 6:05
  • I confirm, it's generate more errors Commented Dec 3, 2022 at 23:47
  • 1
    This doesn't work and the second line is dangerous and should be handled with care. Commented Jan 15, 2023 at 18:02
0

I had the same problem with DynDNS's Updater client.

Turns out it was just expired keys.

Reinstalling the software (downloading a new .deb from the website, then using Software Centre to reinstall) fixed the problem.

Error message for reference:

W: GPG error: http://cdn.dyn.com stable/ Release: The following signatures were invalid: KEYEXPIRED 141943.......
0

2021 August. This is what worked for me.

cd /etc/apt/trusted.gpg.d
sudo rm -R *
sudo apt-get update

The last line will raise errors of missing keys.

What you'd then have to do is manually install each of the keys listed in the errors for example if the error is saying that your missing PUB_KEY is 9BDB3D89CE49EC21,

You can manually add the Key with the command sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9BDB3D89CE49EC21

Re-run sudo apt-get update

Repeat the process for the new key raised in the error

Say if the new key was 3BDB3D89CE49EC24, Just Manually add the Key with the command sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3BDB3D89CE49EC24

Re-run sudo apt-get update and repeat the process until all the errors are gone.

Then go back to the package site you were trying to install and repeat the installation process.

For my case, the error was coming while I tried installing Sublime Text Doing the above and returning to the Sublime installation guide here solved the issues.

Don't forget to upvote if this works for you. And it must do

0

It is always a good idea to check who is signing the repository by inspecting the offending file(s) in /etc/apt/sources.list.d For example, examining the mysql.list file, it shows where the key is stored

### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out entries below, but any other modifications may be lost.
# Use command 'dpkg-reconfigure mysql-apt-config' as root for modifications.
deb [signed-by=/usr/share/keyrings/mysql-apt-config.gpg] http://repo.mysql.com/apt/ubuntu/ jammy mysql-apt-config
deb [signed-by=/usr/share/keyrings/mysql-apt-config.gpg] http://repo.mysql.com/apt/ubuntu/ jammy mysql-8.0
deb [signed-by=/usr/share/keyrings/mysql-apt-config.gpg] http://repo.mysql.com/apt/ubuntu/ jammy mysql-tools
#deb [signed-by=/usr/share/keyrings/mysql-apt-config.gpg] http://repo.mysql.com/apt/ubuntu/ jammy mysql-tools-preview
deb-src [signed-by=/usr/share/keyrings/mysql-apt-config.gpg] http://repo.mysql.com/apt/ubuntu/ jammy mysql-8.0

As you can see, the key is stored in /usr/share/keyrings/mysql-apt-config.gp. At this point you can download the new offending key in the proper place

gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys [OFFENDING KEY] && rm /usr/share/keyrings/mysql-apt-config.gpg && gpg  --output /usr/share/keyrings/mysql-apt-config.gpg --export [OFFENDING KEY]

eventually leaving away the rm /usr/share/keyrings/mysql-apt-config.gpg part if you don't have the key

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .