apt breaks with "no public key available" on clean Stretch

[Meowbay]

Did smooth pre-upgrade checks of everything when I wanted to up a server from jessie to stretch. Among others I checked https://www.howtoforge.com/tutorial/how ... 9-stretch/ and all looked fine to me.
Only to find that after changing the sources.list to stretch

Code: Select all

sed -i 's/jessie/stretch/g' /etc/apt/sources.list

and doing an apt dist-upgrade, it hammered me with warnings about systemd not being able to do things. Weird shutdown notices after each shell command. Found out I was not alone with that, I tried

Code: Select all

apt-get -f install

but that gave me the same errors. Then found some advice about it in the debian mailing lists, I had to force install systemd anew, apparently something silently removed systemd during the upgrade! I'm 100% that I wasn't prompted on that. Found that a developers issue had been opened on that 2 years ago, but it was closed because users could not provide backup of apt status before the dist-upgrade. (Strange, by the way, to just close an important bug like that. Must have been hundreds that have had this error during Jessie to Stretch upgrades..) So anyway, I had to do

Code: Select all

dpkg -i --force-breaks /var/cache/apt/archives/systemd_232-25+deb9u1_amd64.deb

which at least fixed that problem.

Then, after all had been upgraded, I rebooted the machine, and tried to do an apt-get update to see if there was anything left to do.

Code: Select all

~# apt-get update
Ign:1 http://deb.debian.org/debian stretch InRelease
Get:2 http://security.debian.org/debian-security stretch/updates InRelease [63.0 kB]
Get:3 http://deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Hit:4 http://deb.debian.org/debian stretch Release
Ign:3 http://deb.debian.org/debian stretch-updates InRelease
Ign:2 http://security.debian.org/debian-security stretch/updates InRelease
Fetched 154 kB in 0s (352 kB/s)
Reading package lists... Done
W: http://deb.debian.org/debian/dists/stretch-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925543 NO_PUBKEY 7638D0452B90D010
W: The repository 'http://deb.debian.org/debian stretch-updates InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://security.debian.org/debian-security/dists/stretch/updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C904 NO_PUBKEY 8B48AD6246925543
W: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://deb.debian.org/debian/dists/stretch/Release.gpg: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.

Seemed that something altered permissions of trusted.gpg file. I changed it and then still got:

Code: Select all

Reading package lists... Done
W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C904 etc.

I tried about all I could find that could possibly solve this, but thus far, none of the 'solutions' worked for my instance.
https://lists.debian.org/debian-user/20 ... 00218.html
https://lists.debian.org/debian-user/20 ... 00467.html
https://unix.stackexchange.com/question ... get-update
http://forums.debian.net/viewtopic.php?t=134409

And when I tried adding the keys:

Code: Select all

~# gpg --keyserver pgpkeys.mit.edu --recv-key 9D6D8F6BC857C904
gpg: keyserver receive failed: No keyserver available

and even

Code: Select all

~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C904
Executing: /tmp/apt-key-gpghome.IE7k8VUf5W/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C904
gpg: keyserver receive failed: No keyserver available

What the hell? I then found that maybe DNS is not being resolved correctly by this command (hurray for systemd, NOT) which is strange, since all else is resolving just fine on this machine.
And I'm pretty much stuck here now.

Looks like the NO_PUBKEY error is pretty common. This should be at the top of debian bug priority lists, i.m.o., since it breaks auto updates, security updates etc. I'm by no means a newbie in debian or linux, but this is hard to solve.
For the life of me I don't understand why debian does not allow for a force install of everything related to package management, with all the tools and options available, I have yet to find a way to do it. This should really be an option, to do apt reinstall and then have it clean up everything, and generate keys and put in all defaults (based on geo-location), without having to do stuff like:

Code: Select all

~# apt-get remove debian-keyring debian-archive-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  distro-info-data libapt-inst2.0 libapt-pkg-perl lsb-release python-apt python-apt-common python3-apt
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  apt apt-listchanges apt-show-versions apt-utils cron-apt debian-archive-keyring debian-keyring debian-ports-archive-keyring tasksel tasksel-data unattended-upgrades webmin
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  apt debian-archive-keyring (due to apt)
0 upgraded, 0 newly installed, 12 to remove and 0 not upgraded.
After this operation, 210 MB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?]

which is what I'm considering right now.
Anyone know what else to do, other than driving to the datacenter, rm -f all and install Stretch from a USB stick?

[Meowbay]

OK, I totally forgot about another server that runs Debian 9.4 already (was installed using a VM image for some ISP), so I killed the /etc/apt dir on this machine, rsynced /etc/apt/ from that working debian 9.4 server, put it in place of the old /etc/apt/, ran apt update et voila: It works!

So basically, the solution is to grab a functional /etc/apt/ from a machine with similar specs (amd64, in my case), check if the sources.list and repos are the defaults.

[Head_on_a_Stick]

https://www.howtoforge.com/tutorial/how ... -9-stretch

^ That guide is shite[1], restore your backup and try again with the official documentation:

https://www.debian.org/releases/stable/ ... ng.en.html

[1] Disclaimer: I haven't read it

[sunrat]

https://www.howtoforge.com/tutorial/how ... -9-stretch

^ That guide is shite[1], restore your backup and try again with the official documentation:

https://www.debian.org/releases/stable/ ... ng.en.html

[1] Disclaimer: I haven't read it

I read it. The Howtoforge page is very basic compared to the official guide and skips a lot of things to consider which may not be applicable to all systems. Particularly things like Perl and PostgresSQL incompatibilities and the deprecation of FTP: repo access.
Especially this page should be read carefully:
https://www.debian.org/releases/stable/ ... on.en.html