apt update impossible because of missing keys

Kernels & Hardware, configuring network, installing services

apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-27 16:36

I don't understand how I endet up where I am right now:

Code: Select all
# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Ign:2 http://ftp.at.debian.org/debian-security stretch-updates InRelease
Err:5 http://ftp.at.debian.org/debian-security stretch-updates Release
  404  Not Found [IP: 213.129.232.18 80]
Get:3 http://ftp.at.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://ftp.at.debian.org/debian stretch Release [118 kB]
Get:6 http://ftp.at.debian.org/debian stretch Release.gpg [2,434 B]
Err:3 http://ftp.at.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Err:6 http://ftp.at.debian.org/debian stretch Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
Reading package lists... Done
E: The repository 'http://ftp.at.debian.org/debian-security stretch-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.at.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.at.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500

Unfortunately pulling the newest keyring doesn't help (propably because I don't get any newer packages which would include the most recent keyring.):
Code: Select all
# apt-get install debian-archive-keyring
Reading package lists... Done
Building dependency tree       
Reading state information... Done
debian-archive-keyring is already the newest version (2017.5).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

I even started from a generic sources list fom debian.org. But this didn't help either. I have been searching for a solution for many hours now.
What am I doing wrong?
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43

Re: apt update impossible because of missing keys

Postby arochester » 2019-01-27 16:42

What does your sources list say?
arochester
 
Posts: 1387
Joined: 2010-12-07 19:55

Re: apt update impossible because of missing keys

Postby Head_on_a_Stick » 2019-01-27 17:00

If you search these boards for that error message there are several threads about this with suggestions for fixes.

For example: viewtopic.php?t=133569 ← the key appears to be the same in this post.
"The trouble with the world is that the stupid are cocksure and the intelligent full of doubt." — Bertrand Russell
User avatar
Head_on_a_Stick
 
Posts: 8838
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-27 21:52

I did search the forum for the error message. But got nothing. I propably searched for the wrong part of it.

My sources:
deb http://ftp.at.debian.org/debian stretch main
deb-src http://ftp.at.debian.org/debian stretch main

deb http://ftp.at.debian.org/debian-security/ stretch/updates main
deb-src http://ftp.at.debian.org/debian-security/ stretch/updates main

deb http://ftp.at.debian.org/debian stretch-updates main
deb-src http://ftp.at.debian.org/debian stretch-updates main

I didn't find the specific keys. Do you think it is really wise to just replace the debian-archive-keyring package if my system might be compromised already?

A friend recommended to just use the ubuntu key server. Oddly enough, this worked instantly:
Code: Select all
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EF0F382A1A7B6500

I am uncertain what to make of that.

Well, not everything is perfect. Now I've got:
Code: Select all
# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Ign:2 http://ftp.at.debian.org/debian-security stretch/updates InRelease
Hit:3 http://ftp.at.debian.org/debian stretch-updates InRelease
Hit:4 http://ftp.at.debian.org/debian stretch Release
Err:5 http://ftp.at.debian.org/debian-security stretch/updates Release
  404  Not Found [IP: 213.129.232.18 80]
Reading package lists... Done                     
E: The repository 'http://ftp.at.debian.org/debian-security stretch/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.


If the stretch/updates repository can't be accessed then I shouldn't be able to get new updates at all, right?
Last edited by Onsemeliot on 2019-01-27 22:12, edited 3 times in total.
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43

Re: apt update impossible because of missing keys

Postby stevepusser » 2019-01-27 21:57

Does manually downloading the debian-archive-keyring deb from packages.debian.org and reinstalling it manually with "dpkg -i" make any difference?
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Flightgear 2018.2.2, 4..20.6 kernel, wine-staging 4.0 final, Sayonara 1.1.1, Calibre 3.39.1, Pale Moon 28.3.1
User avatar
stevepusser
 
Posts: 10510
Joined: 2009-10-06 05:53

Re: apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-27 22:09

stevepusser wrote:Does manually downloading the debian-archive-keyring deb from packages.debian.org and reinstalling it manually with "dpkg -i" make any difference?

Well, I could try downloading it manually but it seems to be the same version: 2017.5.
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43

Re: apt update impossible because of missing keys

Postby bw123 » 2019-01-27 22:16

Onsemeliot wrote:I don't understand how I endet up where I am right now:
...


Maybe you should let people know the history of the system? They won't know from an error msg by itself how you got there either. Is this the first time apt has given you a problem? is it a new install, an upgrade, or what? You've been a user on the forum a long time, so you know how it works. More info is better.
...
I even started from a generic sources list fom debian.org.
...


What site on debian.org did you get that from? When you say "started" do you mean after anew install? Was it the same as the current sources.list you posted?

I didn't understand the thing about the ubuntu keys, wazzup with that?
User avatar
bw123
 
Posts: 3751
Joined: 2011-05-09 06:02
Location: TN_USA

Re: apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-28 13:02

bw123 wrote:Maybe you should let people know the history of the system?

Sorry. I didn't try to get an explanation for how I ended up in this mess. I only wanted to express my wonderment. (The only explanation I can come up with right now is that I must have somehow lost the original configuration when adding a new key for an unusual Suse repository.) I made the Stretch installation when it came out. I discovered the issues just yesterday because I needed the source repository and therefore changed the sources list. (I suspect I didn't get the most recent updates for a while now.)

bw123 wrote:What site on debian.org did you get that from?

https://wiki.debian.org/SourcesList#Repository_URL ... I just jused the first recommendation (only main)

bw123 wrote:When you say "started" do you mean after anew install?

Yesterday I created a backup of my old sources file and replaced it with the one mentioned above.

bw123 wrote:I didn't understand the thing about the ubuntu keys, wazzup with that?

Since apt reported back that it couldn't fetch the repository information due to missing public keys I tried to find those keys on debian.org. But I couldn't find it. Then a friend pointed out that he found exactly the missing keys on the ubuntu key server. After I pulled it from there the old error messages vanished and I did get updates again. Only the security updates seem to be missing from the recommended local Debian repository: http://ftp.at.debian.org
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43

Re: apt update impossible because of missing keys

Postby Head_on_a_Stick » 2019-01-28 13:24

Onsemeliot wrote:http://ftp.at.debian.org

https://www.debian.org/News/2017/20170425

The Ubuntu key suggestion was in my earlier link btw.
"The trouble with the world is that the stupid are cocksure and the intelligent full of doubt." — Bertrand Russell
User avatar
Head_on_a_Stick
 
Posts: 8838
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: apt update impossible because of missing keys

Postby bw123 » 2019-01-28 14:14

I always use http://security.debian.org/debian-security but I guess the regular repo is ok too?
Do you have a lot of keys installed? I think there's a limit. try man apt-key list
Code: Select all
$ dpkg -S debian-archive-stretch-security-automatic.gpg
debian-archive-keyring: /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
User avatar
bw123
 
Posts: 3751
Joined: 2011-05-09 06:02
Location: TN_USA

Re: apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-28 16:37

Head_on_a_Stick wrote:The Ubuntu key suggestion was in my earlier link btw.

Sorry, I must have overlooked that.
bw123 wrote:Do you have a lot of keys installed?

No, I had 4 keys. I deleted all but the one for Stretch and needed to import those for Wheezy and Jessie again (using "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906" and "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553") in order to get rid of the errors. These are the keys I have now:
Code: Select all
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

Now my sources are stripped down also (I suspect the absolute minimum would be just the third entry only):
Code: Select all
# cat /etc/apt/sources.list
deb http://ftp.at.debian.org/debian stretch main
deb-src http://ftp.at.debian.org/debian stretch main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main

This way I finally managed to get updates and no errors any more:
Code: Select all
# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Hit:2 http://ftp.at.debian.org/debian stretch Release
Hit:3 http://security.debian.org/debian-security stretch/updates InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

I hope this looks like a sensible solution to you too and I didn't get only rid of errors by removing essential parts I might miss later on.
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43

Re: apt update impossible because of missing keys

Postby Head_on_a_Stick » 2019-01-28 16:50

i think the Debian redirector may be the best way to go for sources, it will handle the Security stuff as well:

https://deb.debian.org
"The trouble with the world is that the stupid are cocksure and the intelligent full of doubt." — Bertrand Russell
User avatar
Head_on_a_Stick
 
Posts: 8838
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: apt update impossible because of missing keys

Postby bw123 » 2019-01-28 17:30

Can't argue with a working system, but I noticed yours are in a key file instead of separate key files in a folder. I'd say it's something odd, some derivatives still use the keyfile I think. That changed a long time ago IIRC.

but as long as it works...

Code: Select all
$ apt-key list | grep -A2 debian-archive-stretch-security
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
$ apt policy debian-archive-keyring
debian-archive-keyring:
  Installed: 2017.5
  Candidate: 2017.5
  Version table:
 *** 2017.5 500
        500 http://http.us.debian.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status
User avatar
bw123
 
Posts: 3751
Joined: 2011-05-09 06:02
Location: TN_USA

Re: apt update impossible because of missing keys

Postby Onsemeliot » 2019-01-29 06:05

Hm, I don't know. I get this:
Code: Select all
# apt-key list | grep -A2 debian-archive-stretch-security /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
grep: /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg: No such file or directory
Warning: apt-key output should not be parsed (stdout is not a terminal)

/etc/apt/trusted.gpg.d is just empty.

Oh, hold on: I just remembered I created an empty trusted.gpg.d folder during my attempts to fix my sorces problem. I just moved the backup of it (trusted.gpg.d.backup) back to its original location (trusted.gpg.d). But it didn't change anything.
User avatar
Onsemeliot
 
Posts: 178
Joined: 2010-12-15 14:43


Return to System configuration

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable