Debian Key Signing Bug: NO_PUBKEY

There appears to be a bug in Debian’s key signing system. Depending on your apt sources you may run in to packages signed by a key that Debian doesn’t like. Annoyingly, these are Debian-signed packages, but unless you want to fix it, here is a workaround. is a repository signed with F1D53D8C4F368D5D, but Debian does not trust that key (because it is expired). Go figure.

To resolve the irritating error:
W: GPG error: stable/non-US Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY [some key]

Do this:

1) Make sure you have the newest keys from Debian the automagical way: apt-key update
This will probably do nothing.

2) Update your keys manually:

  • Visit
  • Find the URL to the latest key (right at the top of the page)
  • Download it and import it: wget [URL] -O - | apt-key add - (replace [URL] with the link to the key, silly)

3) Try again. If it was indeed a key issued by Debian that you were missing, you should have it now. My guess is you have stumbled across packages signed by a key that Debian forgot to include in their trusted keys list.

4) The Icky part

  • Install GNU PG if you don’t have it: apt-get install gnupg
  • Grab the key from Debian (Hey, it’s their key, they just forgot to give it out): gpg --keyserver --recv-keys [KEY]
  • Install the key: gpg --armor --export [KEY] | sudo apt-key add -
  • Trust the key: gpg --export [KEY] >> /etc/apt/trusted.gpg
  • Make sure the key is there: gpg --list-keys

Now, not to rag on the Debian group, but the key I have been fighting with is F1D53D8C4F368D5D on That key is expired which is why it is not distributed. No packages should be signed with it.

This entry was posted in Debian, How Tos. Bookmark the permalink.

Leave a Reply

Your email address will not be published.