+++
title = 'Problems with apt-keys on my hotspots'
summary = '''For some reasons apt wasn't able to verify the repositories
signing keys on my Raspberry-Pi based hotspots and this is how I fixed it.'''
date = '2023-08-05T08:36:38+02:00'
lastmod = '2023-08-05T07:35:46+0000'
categories = [ 'amateur-radio' ]
tags = [ 'hotspot', 'pistar', 'raspberry-pi' ]

+++

It is about a few times a year when something is broken on a linux system. Today (actually yesterday
but I couldn't stay up much longer and I was already fed up with this sh\*\*) I upgraded my two
raspberry-pi based hotspots and realized when apt couldn't verify the repositories signing keys
because of missing keys.

This happens usually on *any linux distribution* at least *once a year*.
So it shouldn't be a big deal but it consumes time and I usually have to look into manpages and/or
online help again because I already forgot how I fixed it the last time...

Today, I write it down below.

## What the error looks like

When running `sudo apt update`:

```console
$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Get:5 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15,0 kB]
Err:1 http://httpredir.debian.org/debian bullseye-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Reading package lists... Done
W: GPG error: http://httpredir.debian.org/debian bullseye-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://httpredir.debian.org/debian bullseye-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
```

## Obtain the keys

```console
$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
gpg: keybox '/home/pi-star/.gnupg/pubring.kbx' created
gpg: /home/pi-star/.gnupg/trustdb.gpg: trustdb created
gpg: key A48449044AAD5C5D: public key "Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: key B7C5D7D6350947F8: public key "Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>" imported
gpg: key 73A4F27B8DD47936: public key "Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: Total number processed: 4
gpg:               imported: 4
```

## Import the keys

This still works, though, there is a [better method](https://stackoverflow.com/a/71384057)
for future encounters.

```console
$ gpg -a --export 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853 | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
```

## The resulting update process

```console
$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Hit:2 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Get:3 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:5 http://archive.raspberrypi.org/debian bullseye InRelease
Get:6 http://httpredir.debian.org/debian bullseye-backports/main armhf Packages [415 kB]
Get:7 http://httpredir.debian.org/debian bullseye-backports/main Translation-en [353 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [248 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [164 kB]
Get:10 http://httpredir.debian.org/debian bullseye-backports/contrib armhf Packages [4.680 B]
Get:11 http://httpredir.debian.org/debian bullseye-backports/contrib Translation-en [5.984 B]
Get:12 http://httpredir.debian.org/debian bullseye-backports/non-free armhf Packages [9.072 B]
Get:13 http://httpredir.debian.org/debian bullseye-backports/non-free Translation-en [27,7 kB]
Get:14 http://security.debian.org/debian-security bullseye-security/non-free Translation-en [464 B]
Get:15 http://deb.debian.org/debian bullseye-updates/main armhf Packages [14,7 kB]
Get:16 http://deb.debian.org/debian bullseye-updates/main Translation-en [9.964 B]
Fetched 1.253 kB in 4s (282 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
```

## Another way (quicker) but untested

This should also work like the above (until <abbr title="End of life">EOL</abbr> of `apt-key`).

```console
$ apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
```

## Final words

I got that feeling: the next time I'd need this, `apt-key` will not work and got fully replaced
by signing keys in <kbd>/etc/apt/keyrings</kbd>...

Inspired by this post: <https://superuser.com/a/1485255>

As the default keyserver strips user-ids they cannot imported without
the `--keyserver` switch.