[Solved] NO_PUBKEY error.

Kernels & Hardware, configuring network, installing services

[Solved] NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-22 09:20

I've just installed Debian 9 ( clean install, no upgrade from 8 ) and I get these errors (NO_PUBKEY) from Synaptic about keys missing. I haven't added any third-party repositories. How can I add the stretch keys to debian 9? Also, how can I see what keys are already installed and if they belong to debian 9 or to the previous versions?
Code: Select all
GPG error: http://security.debian.org stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553The repository 'http://security.debian.org stretch/updates InRelease' is not signed.Updating from such a repository can't be done securely, and is therefore disabled by default.See apt-secure(8) manpage for repository creation and user configuration details.The repository 'http://deb.debian.org/debian stretch/updates Release' does not have a Release file.Updating from such a repository can't be done securely, and is therefore disabled by default.See apt-secure(8) manpage for repository creation and user configuration details.An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY CBF8D6FD518E17E1 NO_PUBKEY EF0F382A1A7B6500
Last edited by Emperor Penguin on 2017-06-22 17:48, edited 1 time in total.
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-22 15:56

After many hours of searching I finally managed to remedy the problem. I've fount the missing keys from public key-servers and I added them using synaptic. From the menu: "Settings > Repositories" , in the Authentication Tab, I added them one by one. I don't know if this is the proper way to add keys systemwide but that worked. Does anyone know what the default repositories on a clean Debian 9 installation are? I mean the default sources.list file?
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: [Solved] NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-23 08:31

I've found a better solution. Instead of searching the web for the keys, a better solution turned out to be to just reinstall the debian-archive-keyring package. This package contains the GnuPG archive keys of the Debian archive.
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: [Solved] NO_PUBKEY error.

Postby luedtke » 2017-08-12 20:06

I would rather not declare this issue as "solved" but call it critical.

Once your Debian installation is in a state where "Updating from such a repository can't be done securely", it is not safe to reinstall the debian-archive-keyring package. Such a step may eliminate the NO_PUBKEY error, but the fresh keys may be corrupted, since the signature of the package cannot be verified.

There must be a difference between the "reinstalled" and the original debian-archive-keyring package. Otherwise the NO_PUBKEY error would not be solved. What, the hell, makes the difference?

I am severely puzzled by the fact that this issue is not discussed more seriously, even though the relatively high number of reads indicates that many people are affected. The chain of trust in the origin of Debian packages is definitely broken.
luedtke
 
Posts: 4
Joined: 2017-08-12 19:39

Re: [Solved] NO_PUBKEY error.

Postby Lysander » 2017-08-15 17:22

luedtke wrote:I am severely puzzled by the fact that this issue is not discussed more seriously, even though the relatively high number of reads indicates that many people are affected.


It indicates that a large number of people have read the thread, certainly. Maybe those who had the issue were able to sort it out for themselves like the OP did, from the tens of thousands of search results one can generate through Google by searching "NO_PUBKEY Debian" or "NO_PUBKEY Linux".

luedtke wrote:The chain of trust in the origin of Debian packages is definitely broken.


For all users? This sounds like quite a dramatic statement. Seeing as you are the same poster who didn't know how to edit sources.list [or search the Debian wiki], I'm not sure how seriously I can such take a comment. I'd be interested to know others' thoughts.
User avatar
Lysander
 
Posts: 280
Joined: 2017-02-23 10:07
Location: London

Re: [Solved] NO_PUBKEY error.

Postby kopper » 2017-08-16 04:18

Lysander wrote:For all users? This sounds like quite a dramatic statement.

My initial thought was that this was concerning the users who are reading this thread and thus "affected". A bit long fetched conclusion of course.

luedtke wrote:The chain of trust in the origin of Debian packages is definitely broken.

Chain of trust is broken when user has to download keys from external sources, if you consider your trust to your system provided keys is ultimate. You could also compare keys with fresh install to verify whether you've got the right ones, before adding them to your keyring. Ultimately, unless you verify ISO checksums from multiple sources before OS installation and ensure that all keys ever updated to your system are actually the ones they are advertised to be, you may have non-authentic/fabricated keys at your disposal. And you can't be sure even then, if you're not checking regularly. Chain of trust is of course an important concept, but trust is a fickle thing. In this case, user is most likely in no risk at all since he/she presumably hasn't edited sources list to reinstall debian-archive-keyring and even if he had, it's unlikely that malicious repository would have same package "waiting for someone to fix they're keyring" (well, technically a minor risk). At least based on my understanding of how package management works. I hope this disclaimer is enough to pass the post-history checkup. :D Which leads me to my last OT point.

Lysander wrote:Seeing as you are the same poster who...

Personally, I find this unnecessary while I understand your point. However, people have different expertise and knowing about how chain of trust works (theoretically as it may be) is in different domain with knowing how to edit your sources list. There are lot of professional people who are not technically savvy. Comments like these make me think of recent US Department of Justice warrant which requested browsing information of over 1m person vising certain anti-Trump website.

EDIT: For better readability and clarifications.
Last edited by kopper on 2017-08-16 08:47, edited 3 times in total.
Debian 9 with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 48
Joined: 2016-09-30 14:30

Re: [Solved] NO_PUBKEY error.

Postby dasein » 2017-08-16 04:37

Lysander wrote:I'd be interested to know others' thoughts.

Anyone who imagines that software is the primary attack vector on their machines (or others') has neither read the Snowden documents nor followed the computer news of the last 10 years.

The only folks who are 'safe' are those who design, engineer, and fabricate their own hardware, and then write their own OS from scratch, using a compiler they also built from scratch.

For the rest of us, prudence is wise, but paranoia is disabling.

Afterthought: Lysander's other point is quite correct. Read-count is nowhere close to a valid surrogate for "number of people affected." In the case of this particular thread, the read count mostly shows that the thread is two months old.

P.S. The edits to the post immediately above this one have nothing to do with "readability and clarifications." S/he is trying to fundamentally change what s/he said, presumably in an effort to seem less paranoid. Posters engaging this in-duh-vidual in the future would be wise to "full quote" him/her.
Last edited by dasein on 2017-08-16 22:56, edited 1 time in total.
User avatar
dasein
 
Posts: 7771
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: [Solved] NO_PUBKEY error.

Postby luedtke » 2017-08-16 22:31

I would like to hear from someone, who "reinstalled" the original debian-archive-keyring package an thus avoided the NO_PUBKEY-error:
    What is the difference between the original and the "reinstalled" package?
    Which of both is more trustworthy?
    Why should the warning issued by Synaptic ("cannot be done securely") not apply to the reinstall?"
As long as these questions are not answered, I don't regard the issue as "solved".
luedtke
 
Posts: 4
Joined: 2017-08-12 19:39


Return to System configuration

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable