You are not logged in.

#1 2018-08-12 16:13:34

mufrious
Member
Registered: 2015-10-02
Posts: 15

[SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

Hello to you all, fellow Bunsenistas,

Apologies in advance if this is a typical noob dorkage (at least I knew better than to install a ppa...) but maybe it's of the same level (I've been a noob for quite a while now...). I'll leave that to your sagacity.

I'm busy installing a Helium system, and got to the point where I want to install, as I did previously (and flawlessly) in Hydrogen/Deuterium, some favorite third-party softwares, like focuswriter and virtualbox (yes, I know focuswriter exists in the debian reps, but for some reason I can't recall, I had needed to install as third-party in Hydrogen).
I followed the instructions from the focuswriter site, but unfortunately it seems that it borked my whole gpg ecosystem: I keep getting the same NO_PUBKEY message now, for all repositories, bunsenlabs and debian alike... I removed of course all that was concerning focuswriter and home:gottcode, but it changed nothing.

To be precise, that is what I did. The instructions of the focuswriter site are:

echo 'deb http://download.opensuse.org/repositories/home:/gottcode/Debian_9.0/ /' > /etc/apt/sources.list.d/home:gottcode.list
apt-get update
apt-get install focuswriter

And to add the key to the repository:

wget -nv https://download.opensuse.org/repositories/home:gottcode/Debian_9.0/Release.key -O Release.key
apt-key add - < Release.key
apt-get update

To prevent the missing key message right after adding the source, I added the key right after adding the source, and before running apt-get update. I don't know if that is what borked the whole thing up...

Trying to recover a sane apt system, I've followed the instructions of that post https://forums.bunsenlabs.org/viewtopic.php?id=1526 and of course of this page: https://www.bunsenlabs.org/repositories.html.

By the way, it seems to me that there might be a discrepancy in the Keyring package section: shouldn't the latest package be bunsen-keyring_2016.7.2-2_all.deb, instead of bunsen-keyring_2016.7.2-1_all.deb? The ...2016.7.2-2 version is the one that is installed on my system. Should I revert back to the more ancient version? When I tried, GDebi advised me not too.

(And might I also point out that there seems to be a mistake in the Manual setup section: it should be

gpg --fingerprint BunsenLabs-RELEASE.asc

and not

... --with-fingerprint ...

-- I kept having a: "WARNING: no command supplied.  Trying to guess what you mean ...").

When I try:

gpg --fingerprint BunsenLabs-RELEASE.asc

I get this message:

gpg: error reading key: Pas de clef publique

(Excuse my French...)

Here is the output of the apt-get update command:

root@yorick:/home/miguel# apt-get update
Réception de:1 http://deb.debian.org/debian stretch-backports InRelease [91,8 kB]
Err:1 http://deb.debian.org/debian stretch-backports InRelease         
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Atteint:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
Err:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
Ign:3 https://cdn-aws.deb.debian.org/debian stretch InRelease
Atteint:6 https://eu.pkg.bunsenlabs.org/debian helium InRelease
Err:6 https://eu.pkg.bunsenlabs.org/debian helium InRelease
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
Réception de:4 https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease [94,3 kB]
Réception de:5 https://cdn-aws.deb.debian.org/debian stretch-updates InRelease [91,0 kB]
Err:4 https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
Atteint:7 https://cdn-aws.deb.debian.org/debian stretch Release
Err:5 https://cdn-aws.deb.debian.org/debian stretch-updates InRelease
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Err:8 https://deb.debian.org/debian stretch Release.gpg
  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
185 ko réceptionnés en 1s (139 ko/s)
Lecture des listes de paquets... Fait
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-backports InRelease: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://eu.pkg.bunsenlabs.org/debian helium InRelease: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian stretch-updates InRelease: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian stretch Release: Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: Impossible de récupérer https://deb.debian.org/debian-security/dists/stretch/updates/InRelease  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: Impossible de récupérer https://deb.debian.org/debian/dists/stretch-updates/InRelease  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Impossible de récupérer http://pkg.bunsenlabs.org/debian/dists/stretch-backports/InRelease  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
W: Impossible de récupérer https://pkg.bunsenlabs.org/debian/dists/helium/InRelease  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY A0673F72FE62D9C5
W: Impossible de récupérer http://deb.debian.org/debian/dists/stretch-backports/InRelease  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Impossible de récupérer https://deb.debian.org/debian/dists/stretch/Release.gpg  Les signatures suivantes n'ont pas pu être vérifiées car la clé publique n'est pas disponible : NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: Le téléchargement de quelques fichiers d'index a échoué, ils ont été ignorés, ou les anciens ont été utilisés à la place.

I've tried to manually reinstall the keys, but didn't work either (not sure what the keyservers are really, I assumed they were the same).

My sources.list, bunsen.list, bunsen-stretch-backports.list and debian-stretch-backports.list are correct, according to the specifications of the Sources - sources.list and backports details OP (to the exception that all the deb https addresses end with a trailing "/", like this:)

deb https://deb.debian.org/debian/

This is the output of apt-cache policy:

Fichiers du paquet :
 100 /var/lib/dpkg/status
     release a=now
 100 http://deb.debian.org/debian stretch-backports/non-free amd64 Packages
     release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=non-free,b=amd64
     origin deb.debian.org
 100 http://deb.debian.org/debian stretch-backports/contrib amd64 Packages
     release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=contrib,b=amd64
     origin deb.debian.org
 100 http://deb.debian.org/debian stretch-backports/main amd64 Packages
     release o=Debian Backports,a=stretch-backports,n=stretch-backports,l=Debian Backports,c=main,b=amd64
     origin deb.debian.org
 500 https://pkg.bunsenlabs.org/debian helium/main amd64 Packages
     release o=bunsenlabs,n=helium,l=bunsenlabs,c=main,b=amd64
     origin pkg.bunsenlabs.org
 100 http://pkg.bunsenlabs.org/debian stretch-backports/main amd64 Packages
     release o=bunsenlabs,n=stretch-backports,l=bunsenlabs,c=main,b=amd64
     origin pkg.bunsenlabs.org
 500 https://deb.debian.org/debian stretch-updates/main amd64 Packages
     release o=Debian,a=stable-updates,n=stretch-updates,l=Debian,c=main,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian-security stretch/updates/non-free amd64 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=non-free,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian-security stretch/updates/contrib amd64 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=contrib,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian-security stretch/updates/main amd64 Packages
     release v=9,o=Debian,a=stable,n=stretch,l=Debian-Security,c=main,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian stretch/contrib amd64 Packages
     release v=9.5,o=Debian,a=stable,n=stretch,l=Debian,c=contrib,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian stretch/non-free amd64 Packages
     release v=9.5,o=Debian,a=stable,n=stretch,l=Debian,c=non-free,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian stretch/main amd64 Packages
     release v=9.5,o=Debian,a=stable,n=stretch,l=Debian,c=main,b=amd64
     origin deb.debian.org
Paquets épinglés :

I'm at a loss as to what to try next, before I start reinstalling everything again.

Thanks for any help, and if nothing is deserved than clowning away, I'll swallow all ego and go with it.

Last edited by mufrious (2018-08-20 10:30:21)

Offline

#2 2018-08-13 05:28:50

ohnonot
...again
Registered: 2015-09-29
Posts: 5,592

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

mufrious wrote:

To prevent the missing key message right after adding the source, I added the key right after adding the source, and before running apt-get update. I don't know if that is what borked the whole thing up...

i don't think that apt is that fragile.

source of the tutorial?
did you show us ALL the steps? your post does not seem to be in chronological order.
did you take care about when to be root and when not when you executed all those commands?

have you tried simply removing the erroneously added keys again?
have you tried completely re-initialising all keys? i think a command like that exists for gpg.

next time you post command output, please prepend "LC_ALL=C", e.g.:

LC_ALL=C apt update

Last edited by ohnonot (2018-08-13 05:29:59)

Offline

#3 2018-08-13 14:38:46

mufrious
Member
Registered: 2015-10-02
Posts: 15

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

Thanks @ohnonot for the reply! I'll try to be as precise as possible.

i don't think that apt is that fragile.

I didn't think so either, but you never know. Sometimes the devil hides in details.

source of the tutorial?

It comes frome the Focuswriter site, download section: https://software.opensuse.org/download/ … 3Agottcode I followed the same instructions on Hydrogen for Debian 8 without problem. But I guess that's where it all comes from (the devil, from these instructions).

did you show us ALL the steps? your post does not seem to be in chronological order.

Quite right. I ranted a lot, and put in it only what I thought might be pertinent. (I figured it was long enough already.)
But I'll try to reconstruct the chain of events.
So I followed the Focuswriter instructions, as said in OP.
Then, with the errors during the apt-get update, I followed the instructions in the Bunsen Repository page, first the ones of the Keyring package section (GDebi told me a more recent version was installed, I think, which is confirmed by the look in Synaptic), then the ones in the Manual Setup section (with the slight error mentioned).
The gpg --fingerprint command gave me the "no public key" message.
After that, I began searching on the internet, and followed this advice (I'm sorry it's in French again, hope you can make out what it's about...) https://wiki.debian-fr.xyz/Erreur_lors_ … _NO_PUBKEY
I tried what is described in the "Ajout manuel d'une clé" section, but couldn't get a correct url to get the key. Assumed it was the same as the repo, but it didn't work. So I didn't get further.
After that, I went back to Synaptic and reinitialised the default keys: Settings > Repositories > Authentification > Restore default keys.
The copies of code I made after all those desperate attempts.
I think it must be more or less what I did.

did you take care about when to be root and when not when you executed all those commands?

Oh, not really. I think I started as sudo, and then I sudoed su to root. But unfortunately I don't remember what I did when exactly. I do remember I made the first commands of the focuswriter instructions as sudo (the "echo etc." command), and then the "wget" command as user. Then the apt-get updates as sudo.

have you tried simply removing the erroneously added keys again?

Yes. There's only one key now in the Authentication tab in Synaptic. With the same result.

have you tried completely re-initialising all keys? i think a command like that exists for gpg.

As I said, I did it in Synaptic. It didn't have any effect. I see that several commands for gpg could do it (--rebuild-keydb-caches, --generate-key, --full-generate-key...) but right now I wouldn't dare to try one after the other without knowing better.

next time you post command output, please prepend "LC_ALL=C", e.g.:

Here it is:

miguel@yorick:~$ sudo LC_ALL=C apt update
[sudo] Mot de passe de miguel : 
Get:1 http://deb.debian.org/debian stretch-backports InRelease [91.8 kB]
Err:1 http://deb.debian.org/debian stretch-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Hit:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
Err:2 http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
Hit:3 https://eu.pkg.bunsenlabs.org/debian helium InRelease
Err:3 https://eu.pkg.bunsenlabs.org/debian helium InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
Ign:4 https://cdn-aws.deb.debian.org/debian stretch InRelease
Get:5 https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Err:5 https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
Get:6 https://cdn-aws.deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Err:6 https://cdn-aws.deb.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
Hit:7 https://cdn-aws.deb.debian.org/debian stretch Release
Err:8 https://deb.debian.org/debian stretch Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
Fetched 185 kB in 1s (99.8 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://eu.pkg.bunsenlabs.org/debian stretch-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://eu.pkg.bunsenlabs.org/debian helium InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cdn-aws.deb.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: Failed to fetch https://deb.debian.org/debian-security/dists/stretch/updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: Failed to fetch https://deb.debian.org/debian/dists/stretch-updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch http://pkg.bunsenlabs.org/debian/dists/stretch-backports/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
W: Failed to fetch https://pkg.bunsenlabs.org/debian/dists/helium/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A0673F72FE62D9C5
W: Failed to fetch http://deb.debian.org/debian/dists/stretch-backports/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch https://deb.debian.org/debian/dists/stretch/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: Some index files failed to download. They have been ignored, or old ones used instead.

Hope you can do something with that... Thanks for your attention!

Offline

#4 2018-08-14 05:21:42

ohnonot
...again
Registered: 2015-09-29
Posts: 5,592

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

mufrious wrote:
wget -nv https://download.opensuse.org/repositories/home:gottcode/Debian_9.0/Release.key -O Release.key
apt-key add - < Release.key

my suspicion is that this is where things went wrong.
who knows; fix it, and maybe simply "grab the binaries" next time?

the fix:
search for the error message: https://www.startpage.com/do/dsearch?query="The+following+signatures+couldn't+be+verified+because+the+public+key+is+not+available"
first useful result (but feel free to look at the others): https://chrisjean.com/fix-apt-get-updat … available/ (of course you should substitute ubuntu servers with something else)

Offline

#5 2018-08-14 11:07:08

mufrious
Member
Registered: 2015-10-02
Posts: 15

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

Thanks again, @ohnonot, for your time.
I think I found a solution, it might be a dirty one, but at least my updates are working now.

But to answer you in the right order:

who knows; fix it, and maybe simply "grab the binaries" next time?

Indeed, that's what I did. No more worries on that part, but I wanted to have the updates...

first useful result (but feel free to look at the others): https://chrisjean.com/fix-apt-get-updat … available/ (of course you should substitute ubuntu servers with something else)

Thanks for the links. That's where I supposed could be the solution. I just have trouble now finding the right address for the debian keyserver. From what I gather, it should be keyring.debian.org. But here is what I get:

root@yorick:/home/miguel# apt-key adv --keyserver keyring.debian.org --recv-keys 8B48AD6246925553
Executing: /tmp/apt-key-gpghome.yHtcDKalfr/gpg.1.sh --keyserver keyring.debian.org --recv-keys 8B48AD6246925553
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Or, using gpg:

root@yorick:/home/miguel# gpg --keyserver keyring.debian.org --recv-keys 8B48AD6246925553
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I found another lead in the links you proposed:
https://serverfault.com/questions/90697 … s-not-avai
So I tried the solution proposed, but it gave me this:

root@yorick:/home/miguel# curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
gpg: Warning: 1 key skipped due to its large size
gpg: Warning: 1 key skipped due to its large size
OK

I tried the update again, but it remained the same.

I tried again to check the bunenlabs keys I had downloaded, but got the same output:

root@yorick:/home/miguel# gpg --fingerprint BunsenLabs-RELEASE.asc
gpg: error reading key: Pas de clef publique

Then I found this, from a search about "gpg: Warning: 1 key skipped due to its large size":
https://www.reddit.com/r/debian/comments/6i111e/whats_the_deal_with_apt_and_gpg_keys_in_stretch/]
And this particularly drew my attention:

I've ended up getting rid of trusted.gpg (kept a backup though), and it seems to be using the keys from trusted.gpg.d now.

So I gave it a try, after backup of the file of course, and... it worked! All updates are done as they should.
I suppose the focuswriter corrupted somehow that file, or, as the reddit post seems to suggest, an ancient debian bug came back to the surface?
https://bugs.debian.org/cgi-bin/bugrepo … bug=853858
Or maybe all my attempts only added corruption?

I guess I can edit the thread as [SOLVED], unless this is really dirty...

Last edited by mufrious (2018-08-14 11:16:25)

Offline

#6 2018-08-17 14:43:53

mufrious
Member
Registered: 2015-10-02
Posts: 15

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

Ok, so I went a bit further in my investigation, I guess I must not be the only one to be confronted to the same situation, i.e. install third party repositories in stretch. (Maybe I should start a new thread? Or is there one yet I didn't find?)

The way to add non-debian repositories seems to have changed with Stretch, although the info seems to be difficult to get through, as many sites proposing repos for debian systems still present  instructions only valid for Jessie, leading to mismatches.

As it says here What's new in Debian 9, and particularly here:

The APT-based package managers have also gotten a number of improvements that will remove the annoying “hash sum mismatch” warning that occurs when running apt during a mirror synchronization. This happens via the new by-hash layout, which enables APT to download metadata files by their content hash.

If you use third-party repositories, you may still experience these intermittent issues, if the vendor does not provide the by-hash layout. Please recommend them to adopt this layout change. A very short technical description is available in the Repository format description.

I found the new way of doing things in a bug report conversation with an apt maintainer (in Feb. 2017...): https://bugs.debian.org/cgi-bin/bugrepo … =853858#10.

This is how it should be done, according to him:

Remote repositories should be added by fetching a binary key and placing it in
the local file system.

for Debian 9 ("stretch") and later, you should place these keys (in
binary form) someplace within /usr/local/share/keyrings/ and add a
"Signed-By:" option to the relevant apt sources (see sources.list(5)).

This makes it so that the special key is only authorized for the
specific repository.

Not sure I understand correctly...

  • It seems that stretch is still using the old locations for the keys in /etc/apt. (But maybe it's normal, and after installing they get collected there as well, they don't have to be placed there.)

  • Second, I did find a /usr/share/keyrings, but no /usr/local/share/keyrings. It's not clear if your supposed to do that yourself, and create your subdirectory (as you'd for fonts, for instance) or if it's the job of the third party maintainer to create one if it doesn't exist.

And maybe these instructions are obsolete by now, I don't know.

I came across this other way of solving the problem. It's about that same file that gets somehow corrupted, /etc/apt/trusted.gpg (the file, not /etc/apt/trusted.gpg.d): https://serverfault.com/questions/85172 … und/860031

I was interested in Mathias's answer, which I quote here:

Mathias wrote:

It was in fact the file /etc/apt/trusted.gpg that got corrupted. After making a backup copy of this file, I re-imported into gpg the debian signing keys: 8B48AD6246925553, etc (see https://ftp-master.debian.org/keys.html): gpg --keyserver keyring.debian.org --recv-keys 8B48AD6246925553

Then deleted the file "trusted.gpg" and I used gpg to export the keys into /etc/apt/trusted.gpg: gpg --export 8B48AD646925553 >> trusted.gpg

Do it for each key, and apt-get works again!!

I tried to apply it to the focuswriter repo, for instance, but it didn't work. There's a "Release.gpg" available but it didn't come through right.
I guess Mathias's post concerns only debian keys, and it's not needed, as apt works well without the trusted.gpg file.

Basically there seems to be a general lack of communication about this new version of apt, and a precise how to for the users...

What do you guys think about that?

Offline

#7 2018-08-20 06:55:34

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 12,674
Website

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

mufrious wrote:

The way to add non-debian repositories seems to have changed with Stretch, although the info seems to be difficult to get through, as many sites proposing repos for debian systems still present  instructions only valid for Jessie, leading to mismatches.

Apt added new options with Stretch, but the old sources.list entries still work, as do the old ways of adding keys. However the 'apt-key add' command is now deprecated in favour of putting the file straight in /etc/apt/trusted.gpg.d https://bugs.debian.org/cgi-bin/bugrepo … bug=851774
Even more secure is to use /usr/local/share/keyrings/ with a "signed-by" option, but that's not mandatory.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )

Introduction to the Bunsenlabs Boron Desktop

Offline

#8 2018-08-20 10:16:23

mufrious
Member
Registered: 2015-10-02
Posts: 15

Re: [SOLVED] Trying to recover from apt-get update error: NO_PUBKEY

Ok. Thanks so much for this simple way of putting things, and thanks for the link, which explains a lot of things.
I'll still look around for that "Signed by" option, which is still a little bit obscure to me.
I'll mark this as [SOLVED]!
Thanks again.

Last edited by mufrious (2018-08-20 10:25:10)

Offline

Board footer

Powered by FluxBB