Debian Key Signing Bug: NO_PUBKEY

There appears to be a bug in Debian’s key signing system. Depending on your apt sources you may run in to packages signed by a key that Debian doesn’t like. Annoyingly, these are Debian-signed packages, but unless you want to fix it, here is a workaround.

http://non-us.debian.org is a repository signed with F1D53D8C4F368D5D, but Debian does not trust that key (because it is expired). Go figure.

To resolve the irritating error:
W: GPG error: http://non-us.debian.org stable/non-US Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY [some key]

Do this:

1) Make sure you have the newest keys from Debian the automagical way: apt-key update
This will probably do nothing.

2) Update your keys manually:

  • Visit http://ftp-master.debian.org
  • Find the URL to the latest key (right at the top of the page)
  • Download it and import it: wget [URL] -O - | apt-key add - (replace [URL] with the link to the key, silly)

3) Try again. If it was indeed a key issued by Debian that you were missing, you should have it now. My guess is you have stumbled across packages signed by a key that Debian forgot to include in their trusted keys list.

4) The Icky part

  • Install GNU PG if you don’t have it: apt-get install gnupg
  • Grab the key from Debian (Hey, it’s their key, they just forgot to give it out): gpg --keyserver keyring.debian.org --recv-keys [KEY]
  • Install the key: gpg --armor --export [KEY] | sudo apt-key add -
  • Trust the key: gpg --export [KEY] >> /etc/apt/trusted.gpg
  • Make sure the key is there: gpg --list-keys

Now, not to rag on the Debian group, but the key I have been fighting with is F1D53D8C4F368D5D on non-us.debian.org. That key is expired which is why it is not distributed. No packages should be signed with it.

This entry was posted in Debian, How Tos. Bookmark the permalink.

Leave a Reply

Your email address will not be published.