You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

6.9 KiB

+++ title = 'Problems with apt-keys on my hotspots' aliases = '/posts/2023-08-05-problems-with-apt-keys-on-my-hotspots' summary = '''For some reasons apt wasn't able to verify the repositories signing keys on my Raspberry-Pi based hotspots and this is how I fixed it.''' date = '2023-08-05T08:36:38+02:00' lastmod = '2023-11-18T22:01:29+0000' categories = [ 'amateur-radio' ] tags = [ 'hotspot', 'pistar', 'raspberry-pi' ]

+++

It is about a few times a year when something is broken on a linux system. Today (actually yesterday but I couldn't stay up much longer and I was already fed up with this sh**) I upgraded my two raspberry-pi based hotspots and realized when apt couldn't verify the repositories signing keys because of missing keys.

This happens usually on any linux distribution at least once a year. So it shouldn't be a big deal but it consumes time and I usually have to look into manpages and/or online help again because I already forgot how I fixed it the last time...

Today, I write it down below.

What the error looks like

When running sudo apt update:

$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
Get:5 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15,0 kB]
Err:1 http://httpredir.debian.org/debian bullseye-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Reading package lists... Done
W: GPG error: http://httpredir.debian.org/debian bullseye-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://httpredir.debian.org/debian bullseye-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Obtain the keys

$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
gpg: keybox '/home/pi-star/.gnupg/pubring.kbx' created
gpg: /home/pi-star/.gnupg/trustdb.gpg: trustdb created
gpg: key A48449044AAD5C5D: public key "Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: key B7C5D7D6350947F8: public key "Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>" imported
gpg: key 73A4F27B8DD47936: public key "Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
gpg: Total number processed: 4
gpg:               imported: 4

Import the keys

This still works, though, there is a better method for future encounters.

$ gpg -a --export 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853 | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

The resulting update process

$ sudo apt update
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
Hit:2 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
Get:3 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
Hit:5 http://archive.raspberrypi.org/debian bullseye InRelease
Get:6 http://httpredir.debian.org/debian bullseye-backports/main armhf Packages [415 kB]
Get:7 http://httpredir.debian.org/debian bullseye-backports/main Translation-en [353 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [248 kB]
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [164 kB]
Get:10 http://httpredir.debian.org/debian bullseye-backports/contrib armhf Packages [4.680 B]
Get:11 http://httpredir.debian.org/debian bullseye-backports/contrib Translation-en [5.984 B]
Get:12 http://httpredir.debian.org/debian bullseye-backports/non-free armhf Packages [9.072 B]
Get:13 http://httpredir.debian.org/debian bullseye-backports/non-free Translation-en [27,7 kB]
Get:14 http://security.debian.org/debian-security bullseye-security/non-free Translation-en [464 B]
Get:15 http://deb.debian.org/debian bullseye-updates/main armhf Packages [14,7 kB]
Get:16 http://deb.debian.org/debian bullseye-updates/main Translation-en [9.964 B]
Fetched 1.253 kB in 4s (282 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

Another way (quicker) but untested

This should also work like the above (until EOL of apt-key).

$ apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853

Final words

I got that feeling: the next time I'd need this, apt-key will not work and got fully replaced by signing keys in /etc/apt/keyrings...

Inspired by this post: https://superuser.com/a/1485255

As the default keyserver strips user-ids they cannot imported without the --keyserver switch.