[Solved] NO_PUBKEY error.

Kernels & Hardware, configuring network, installing services

[Solved] NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-22 09:20

I've just installed Debian 9 ( clean install, no upgrade from 8 ) and I get these errors (NO_PUBKEY) from Synaptic about keys missing. I haven't added any third-party repositories. How can I add the stretch keys to debian 9? Also, how can I see what keys are already installed and if they belong to debian 9 or to the previous versions?
Code: Select all
GPG error: http://security.debian.org stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553The repository 'http://security.debian.org stretch/updates InRelease' is not signed.Updating from such a repository can't be done securely, and is therefore disabled by default.See apt-secure(8) manpage for repository creation and user configuration details.The repository 'http://deb.debian.org/debian stretch/updates Release' does not have a Release file.Updating from such a repository can't be done securely, and is therefore disabled by default.See apt-secure(8) manpage for repository creation and user configuration details.An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY CBF8D6FD518E17E1 NO_PUBKEY EF0F382A1A7B6500
Last edited by Emperor Penguin on 2017-06-22 17:48, edited 1 time in total.
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-22 15:56

After many hours of searching I finally managed to remedy the problem. I've fount the missing keys from public key-servers and I added them using synaptic. From the menu: "Settings > Repositories" , in the Authentication Tab, I added them one by one. I don't know if this is the proper way to add keys systemwide but that worked. Does anyone know what the default repositories on a clean Debian 9 installation are? I mean the default sources.list file?
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: [Solved] NO_PUBKEY error.

Postby Emperor Penguin » 2017-06-23 08:31

I've found a better solution. Instead of searching the web for the keys, a better solution turned out to be to just reinstall the debian-archive-keyring package. This package contains the GnuPG archive keys of the Debian archive.
Emperor Penguin
 
Posts: 95
Joined: 2011-02-25 13:40

Re: [Solved] NO_PUBKEY error.

Postby luedtke » 2017-08-12 20:06

I would rather not declare this issue as "solved" but call it critical.

Once your Debian installation is in a state where "Updating from such a repository can't be done securely", it is not safe to reinstall the debian-archive-keyring package. Such a step may eliminate the NO_PUBKEY error, but the fresh keys may be corrupted, since the signature of the package cannot be verified.

There must be a difference between the "reinstalled" and the original debian-archive-keyring package. Otherwise the NO_PUBKEY error would not be solved. What, the hell, makes the difference?

I am severely puzzled by the fact that this issue is not discussed more seriously, even though the relatively high number of reads indicates that many people are affected. The chain of trust in the origin of Debian packages is definitely broken.
luedtke
 
Posts: 4
Joined: 2017-08-12 19:39

Re: [Solved] NO_PUBKEY error.

Postby Lysander » 2017-08-15 17:22

luedtke wrote:I am severely puzzled by the fact that this issue is not discussed more seriously, even though the relatively high number of reads indicates that many people are affected.


It indicates that a large number of people have read the thread, certainly. Maybe those who had the issue were able to sort it out for themselves like the OP did, from the tens of thousands of search results one can generate through Google by searching "NO_PUBKEY Debian" or "NO_PUBKEY Linux".

luedtke wrote:The chain of trust in the origin of Debian packages is definitely broken.


For all users? This sounds like quite a dramatic statement. Seeing as you are the same poster who didn't know how to edit sources.list [or search the Debian wiki], I'm not sure how seriously I can such take a comment. I'd be interested to know others' thoughts.
User avatar
Lysander
 
Posts: 317
Joined: 2017-02-23 10:07
Location: London

Re: [Solved] NO_PUBKEY error.

Postby kopper » 2017-08-16 04:18

Lysander wrote:For all users? This sounds like quite a dramatic statement.

My initial thought was that this was concerning the users who are reading this thread and thus "affected". A bit long fetched conclusion of course.

luedtke wrote:The chain of trust in the origin of Debian packages is definitely broken.

Chain of trust is broken when user has to download keys from external sources, if you consider your trust to your system provided keys is ultimate. You could also compare keys with fresh install to verify whether you've got the right ones, before adding them to your keyring. Ultimately, unless you verify ISO checksums from multiple sources before OS installation and ensure that all keys ever updated to your system are actually the ones they are advertised to be, you may have non-authentic/fabricated keys at your disposal. And you can't be sure even then, if you're not checking regularly. Chain of trust is of course an important concept, but trust is a fickle thing. In this case, user is most likely in no risk at all since he/she presumably hasn't edited sources list to reinstall debian-archive-keyring and even if he had, it's unlikely that malicious repository would have same package "waiting for someone to fix they're keyring" (well, technically a minor risk). At least based on my understanding of how package management works. I hope this disclaimer is enough to pass the post-history checkup. :D Which leads me to my last OT point.

Lysander wrote:Seeing as you are the same poster who...

Personally, I find this unnecessary while I understand your point. However, people have different expertise and knowing about how chain of trust works (theoretically as it may be) is in different domain with knowing how to edit your sources list. There are lot of professional people who are not technically savvy. Comments like these make me think of recent US Department of Justice warrant which requested browsing information of over 1m person vising certain anti-Trump website.

EDIT: For better readability and clarifications.
Last edited by kopper on 2017-08-16 08:47, edited 3 times in total.
Debian 9.1 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 59
Joined: 2016-09-30 14:30

Re: [Solved] NO_PUBKEY error.

Postby dasein » 2017-08-16 04:37

Lysander wrote:I'd be interested to know others' thoughts.

Anyone who imagines that software is the primary attack vector on their machines (or others') has neither read the Snowden documents nor followed the computer news of the last 10 years.

The only folks who are 'safe' are those who design, engineer, and fabricate their own hardware, and then write their own OS from scratch, using a compiler they also built from scratch.

For the rest of us, prudence is wise, but paranoia is disabling.

Afterthought: Lysander's other point is quite correct. Read-count is nowhere close to a valid surrogate for "number of people affected." In the case of this particular thread, the read count mostly shows that the thread is two months old.

P.S. The edits to the post immediately above this one have nothing to do with "readability and clarifications." S/he is trying to fundamentally change what s/he said, presumably in an effort to seem less paranoid. Posters engaging this in-duh-vidual in the future would be wise to "full quote" him/her.
Last edited by dasein on 2017-08-16 22:56, edited 1 time in total.
User avatar
dasein
 
Posts: 7775
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: [Solved] NO_PUBKEY error.

Postby luedtke » 2017-08-16 22:31

I would like to hear from someone, who "reinstalled" the original debian-archive-keyring package and thus avoided the NO_PUBKEY-error:
    What is the difference between the original and the "reinstalled" package?
    Which of both is more trustworthy?
    Why should the warning issued by Synaptic ("cannot be done securely") not apply to the reinstall?
As long as these questions are not answered, I don't regard the issue as solved. As stated above, the chain of trust in the origin of packages seems to be broken.
luedtke
 
Posts: 4
Joined: 2017-08-12 19:39

Re: [Solved] NO_PUBKEY error.

Postby shvman » 2017-09-05 20:53

I recently clean installed Debian 9 on two machines, a desktop and a laptop. I had a problem updating the repositories on both machines. I did eventually get the desktop to update properly, but the laptop is still 'broken'. Perhaps relevant to the problem is that I did a Net Install on both computers.

My laptop is an old Dell 1420 with an Intel Centrino CPU. Everything else works.

Here's what I get when I 'sudo apt-get update' on my laptop:
Code: Select all
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Hit:3 https://repo.skype.com/deb stable InRelease 
Hit:4 http://ftp.us.debian.org/debian stretch-updates InRelease
Err:1 http://security.debian.org stretch/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
Ign:5 http://ftp.us.debian.org/debian stretch/updates InRelease
Ign:7 http://ftp.us.debian.org/debian stretch/updates Release
Err:4 http://ftp.us.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Get:6 http://ftp.us.debian.org/debian stretch Release [118 kB]
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Get:11 http://ftp.us.debian.org/debian stretch Release.gpg [2,373 B]
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:11 http://ftp.us.debian.org/debian stretch Release.gpg
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Get:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Get:13 http://ftp.us.debian.org/debian stretch/contrib Sources [44.7 kB]
Get:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages [7,095 kB]
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Hit:15 http://ftp.us.debian.org/debian stretch/main Sources
Hit:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Hit:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Hit:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Ign:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Ign:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Hit:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Hit:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Ign:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Ign:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Ign:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Hit:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en
Ign:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Ign:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
Ign:9 http://ftp.us.debian.org/debian stretch/updates/non-free Sources
Ign:10 http://ftp.us.debian.org/debian stretch/updates/contrib Sources
Err:8 http://ftp.us.debian.org/debian stretch/updates/main Sources
  404  Not Found [IP: 64.50.233.100 80]
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Hit:15 http://ftp.us.debian.org/debian stretch/main Sources
Hit:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Hit:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Hit:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Hit:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Hit:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Ign:13 http://ftp.us.debian.org/debian stretch/contrib Sources
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages
Ign:19 http://ftp.us.debian.org/debian stretch/main Translation-en
Ign:20 http://ftp.us.debian.org/debian stretch/main amd64 DEP-11 Metadata
Ign:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Ign:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata
Get:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages [77.9 kB]
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages                             
Hit:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en                             
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata                     
Hit:13 http://ftp.us.debian.org/debian stretch/contrib Sources                                     
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources                                       
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources                                   
Ign:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages                             
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en                             
Ign:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata                     
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages                                 
Err:19 http://ftp.us.debian.org/debian stretch/main Translation-en                                 
  BZ2_bzread: /var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_stretch_main_i18n_Translation-en.bz2 Read error (-5: DATA_ERROR_MAGIC)
Hit:21 http://ftp.us.debian.org/debian stretch/contrib amd64 Packages                             
Ign:22 http://ftp.us.debian.org/debian stretch/contrib Translation-en                             
Hit:23 http://ftp.us.debian.org/debian stretch/contrib amd64 DEP-11 Metadata                       
Ign:15 http://ftp.us.debian.org/debian stretch/main Sources                                       
Ign:16 http://ftp.us.debian.org/debian stretch/non-free Sources                                   
Hit:24 http://ftp.us.debian.org/debian stretch/non-free amd64 Packages                             
Ign:25 http://ftp.us.debian.org/debian stretch/non-free Translation-en                             
Hit:26 http://ftp.us.debian.org/debian stretch/non-free amd64 DEP-11 Metadata                     
Ign:17 http://ftp.us.debian.org/debian stretch/main amd64 Packages                                 
Fetched 120 kB in 6s (17.4 kB/s)                                                                   
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: The repository 'http://ftp.us.debian.org/debian stretch/updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.us.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: GPG error: http://ftp.us.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: The repository 'http://ftp.us.debian.org/debian stretch Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch-updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
E: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/updates/main/source/Sources  404  Not Found [IP: 64.50.233.100 80]
E: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/main/i18n/Translation-en  BZ2_bzread: /var/lib/apt/lists/partial/ftp.us.debian.org_debian_dists_stretch_main_i18n_Translation-en.bz2 Read error (-5: DATA_ERROR_MAGIC)
W: Some index files failed to download. They have been ignored, or old ones used instead.


Here's what I've tried so far:

1. I read the 'SecureApt' material on the Debian Wiki. Based on that material, I searched for the missing keys, found them and put them in my gpg keyring. But that was wasted work, because I found that the same keys were already present in the 'apt-key list'. So I did not export them to 'apt-key'. It appears as though the keys are present and just not being recognized by the repo servers.

2. I checked the file sources.list multiple times and changed the entries to conform with what I found on the Debian Wiki. No joy.

Here's my sources.list file contents:
Code: Select all
deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch main contrib non-free

deb http://ftp.us.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch-updates main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch/updates main contrib non-free


3. I deleted the 'lists' subdirectory in /var/lib/apt/ and allowed the update process to reform the information.

4. I found the permissions for the file trusted.gpg were '0600' and I set them to '0644', thinking that maybe this was a permission issue.

Like I stated, I did solve this on my desktop machine (and old AMD dual core) but can't figure out what I did that worked. I'll take notes next time.

I am reluctant to uninstall and then reinstall the Debian Archrive Keyring.

Thanks in advance.
shvman
 
Posts: 5
Joined: 2017-07-25 17:46


Return to System configuration

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable