Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

apt update impossible because of missing keys

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

apt update impossible because of missing keys

#1 Post by Onsemeliot »

I don't understand how I endet up where I am right now:

Code: Select all

# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Ign:2 http://ftp.at.debian.org/debian-security stretch-updates InRelease
Err:5 http://ftp.at.debian.org/debian-security stretch-updates Release
  404  Not Found [IP: 213.129.232.18 80]
Get:3 http://ftp.at.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://ftp.at.debian.org/debian stretch Release [118 kB]
Get:6 http://ftp.at.debian.org/debian stretch Release.gpg [2,434 B]
Err:3 http://ftp.at.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Err:6 http://ftp.at.debian.org/debian stretch Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
Reading package lists... Done 
E: The repository 'http://ftp.at.debian.org/debian-security stretch-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.at.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.at.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
Unfortunately pulling the newest keyring doesn't help (propably because I don't get any newer packages which would include the most recent keyring.):

Code: Select all

# apt-get install debian-archive-keyring
Reading package lists... Done
Building dependency tree       
Reading state information... Done
debian-archive-keyring is already the newest version (2017.5).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
I even started from a generic sources list fom debian.org. But this didn't help either. I have been searching for a solution for many hours now.
What am I doing wrong?

arochester
Emeritus
Emeritus
Posts: 2435
Joined: 2010-12-07 19:55
Has thanked: 14 times
Been thanked: 54 times

Re: apt update impossible because of missing keys

#2 Post by arochester »

What does your sources list say?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: apt update impossible because of missing keys

#3 Post by Head_on_a_Stick »

If you search these boards for that error message there are several threads about this with suggestions for fixes.

For example: http://forums.debian.net/viewtopic.php?t=133569 ← the key appears to be the same in this post.
deadbang

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: apt update impossible because of missing keys

#4 Post by Onsemeliot »

I did search the forum for the error message. But got nothing. I propably searched for the wrong part of it.

My sources:
deb http://ftp.at.debian.org/debian stretch main
deb-src http://ftp.at.debian.org/debian stretch main

deb http://ftp.at.debian.org/debian-security/ stretch/updates main
deb-src http://ftp.at.debian.org/debian-security/ stretch/updates main

deb http://ftp.at.debian.org/debian stretch-updates main
deb-src http://ftp.at.debian.org/debian stretch-updates main
I didn't find the specific keys. Do you think it is really wise to just replace the debian-archive-keyring package if my system might be compromised already?

A friend recommended to just use the ubuntu key server. Oddly enough, this worked instantly:

Code: Select all

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EF0F382A1A7B6500
I am uncertain what to make of that.

Well, not everything is perfect. Now I've got:

Code: Select all

# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Ign:2 http://ftp.at.debian.org/debian-security stretch/updates InRelease
Hit:3 http://ftp.at.debian.org/debian stretch-updates InRelease
Hit:4 http://ftp.at.debian.org/debian stretch Release
Err:5 http://ftp.at.debian.org/debian-security stretch/updates Release
  404  Not Found [IP: 213.129.232.18 80]
Reading package lists... Done                      
E: The repository 'http://ftp.at.debian.org/debian-security stretch/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
If the stretch/updates repository can't be accessed then I shouldn't be able to get new updates at all, right?
Last edited by Onsemeliot on 2019-01-27 22:12, edited 3 times in total.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: apt update impossible because of missing keys

#5 Post by stevepusser »

Does manually downloading the debian-archive-keyring deb from packages.debian.org and reinstalling it manually with "dpkg -i" make any difference?
MX Linux packager and developer

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: apt update impossible because of missing keys

#6 Post by Onsemeliot »

stevepusser wrote:Does manually downloading the debian-archive-keyring deb from packages.debian.org and reinstalling it manually with "dpkg -i" make any difference?
Well, I could try downloading it manually but it seems to be the same version: 2017.5.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: apt update impossible because of missing keys

#7 Post by bw123 »

Onsemeliot wrote: I don't understand how I endet up where I am right now:
...
Maybe you should let people know the history of the system? They won't know from an error msg by itself how you got there either. Is this the first time apt has given you a problem? is it a new install, an upgrade, or what? You've been a user on the forum a long time, so you know how it works. More info is better.
...
I even started from a generic sources list fom debian.org.
...
What site on debian.org did you get that from? When you say "started" do you mean after anew install? Was it the same as the current sources.list you posted?

I didn't understand the thing about the ubuntu keys, wazzup with that?
resigned by AI ChatGPT

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: apt update impossible because of missing keys

#8 Post by Onsemeliot »

bw123 wrote:Maybe you should let people know the history of the system?
Sorry. I didn't try to get an explanation for how I ended up in this mess. I only wanted to express my wonderment. (The only explanation I can come up with right now is that I must have somehow lost the original configuration when adding a new key for an unusual Suse repository.) I made the Stretch installation when it came out. I discovered the issues just yesterday because I needed the source repository and therefore changed the sources list. (I suspect I didn't get the most recent updates for a while now.)
bw123 wrote:What site on debian.org did you get that from?
https://wiki.debian.org/SourcesList#Repository_URL ... I just jused the first recommendation (only main)
bw123 wrote:When you say "started" do you mean after anew install?
Yesterday I created a backup of my old sources file and replaced it with the one mentioned above.
bw123 wrote:I didn't understand the thing about the ubuntu keys, wazzup with that?
Since apt reported back that it couldn't fetch the repository information due to missing public keys I tried to find those keys on debian.org. But I couldn't find it. Then a friend pointed out that he found exactly the missing keys on the ubuntu key server. After I pulled it from there the old error messages vanished and I did get updates again. Only the security updates seem to be missing from the recommended local Debian repository: http://ftp.at.debian.org

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: apt update impossible because of missing keys

#9 Post by Head_on_a_Stick »

Onsemeliot wrote:http://ftp.at.debian.org
https://www.debian.org/News/2017/20170425

The Ubuntu key suggestion was in my earlier link btw.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: apt update impossible because of missing keys

#10 Post by bw123 »

I always use http://security.debian.org/debian-security but I guess the regular repo is ok too?
Do you have a lot of keys installed? I think there's a limit. try man apt-key list

Code: Select all

$ dpkg -S debian-archive-stretch-security-automatic.gpg
debian-archive-keyring: /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
resigned by AI ChatGPT

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: apt update impossible because of missing keys

#11 Post by Onsemeliot »

Head_on_a_Stick wrote:The Ubuntu key suggestion was in my earlier link btw.
Sorry, I must have overlooked that.
bw123 wrote:Do you have a lot of keys installed?
No, I had 4 keys. I deleted all but the one for Stretch and needed to import those for Wheezy and Jessie again (using "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9D6D8F6BC857C906" and "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553") in order to get rid of the errors. These are the keys I have now:

Code: Select all

# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
Now my sources are stripped down also (I suspect the absolute minimum would be just the third entry only):

Code: Select all

# cat /etc/apt/sources.list
deb http://ftp.at.debian.org/debian stretch main
deb-src http://ftp.at.debian.org/debian stretch main

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main
This way I finally managed to get updates and no errors any more:

Code: Select all

# apt update
Ign:1 http://ftp.at.debian.org/debian stretch InRelease
Hit:2 http://ftp.at.debian.org/debian stretch Release
Hit:3 http://security.debian.org/debian-security stretch/updates InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
I hope this looks like a sensible solution to you too and I didn't get only rid of errors by removing essential parts I might miss later on.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: apt update impossible because of missing keys

#12 Post by Head_on_a_Stick »

i think the Debian redirector may be the best way to go for sources, it will handle the Security stuff as well:

https://deb.debian.org
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: apt update impossible because of missing keys

#13 Post by bw123 »

Can't argue with a working system, but I noticed yours are in a key file instead of separate key files in a folder. I'd say it's something odd, some derivatives still use the keyfile I think. That changed a long time ago IIRC.

but as long as it works...

Code: Select all

$ apt-key list | grep -A2 debian-archive-stretch-security
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
$ apt policy debian-archive-keyring
debian-archive-keyring:
  Installed: 2017.5
  Candidate: 2017.5
  Version table:
 *** 2017.5 500
        500 http://http.us.debian.org/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status
resigned by AI ChatGPT

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: apt update impossible because of missing keys

#14 Post by Onsemeliot »

Hm, I don't know. I get this:

Code: Select all

# apt-key list | grep -A2 debian-archive-stretch-security /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
grep: /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg: No such file or directory
Warning: apt-key output should not be parsed (stdout is not a terminal)
/etc/apt/trusted.gpg.d is just empty.

Oh, hold on: I just remembered I created an empty trusted.gpg.d folder during my attempts to fix my sorces problem. I just moved the backup of it (trusted.gpg.d.backup) back to its original location (trusted.gpg.d). But it didn't change anything.

User avatar
graemev2
Posts: 95
Joined: 2019-01-08 17:28
Has thanked: 2 times

Re: apt update impossible because of missing keys

#15 Post by graemev2 »

I think I may have stumbled upon the same issue ( http://forums.debian.net/viewtopic.php?f=17&t=141379 )

Didn't immediately find your post as I was thinking in terms of jigdo. My current guess if a format change which may explain why the ubuntu version worked if for example it used the old format? (not very sure on any of this , like how old is the change etc) ...try file of the various versions of the key you have.

Post Reply