You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
6.9 KiB
125 lines
6.9 KiB
+++
|
|
title = 'Problems with apt-keys on my hotspots'
|
|
aliases = '/posts/2023-08-05-problems-with-apt-keys-on-my-hotspots'
|
|
summary = '''For some reasons apt wasn't able to verify the repositories
|
|
signing keys on my Raspberry-Pi based hotspots and this is how I fixed it.'''
|
|
date = '2023-08-05T08:36:38+02:00'
|
|
lastmod = '2024-09-28T23:48:07+0000'
|
|
categories = [ 'amateur-radio' ]
|
|
tags = [ 'hotspot', 'pistar', 'raspberry-pi' ]
|
|
|
|
+++
|
|
|
|
It is about a few times a year when something is broken on a linux system. Today (actually yesterday
|
|
but I couldn't stay up much longer and I was already fed up with this sh\*\*) I upgraded my two
|
|
raspberry-pi based hotspots and realized when apt couldn't verify the repositories signing keys
|
|
because of missing keys.
|
|
|
|
This happens usually on _any linux distribution_ at least _once a year_.
|
|
So it shouldn't be a big deal but it consumes time and I usually have to look into manpages and/or
|
|
online help again because I already forgot how I fixed it the last time...
|
|
|
|
Today, I write it down below.
|
|
|
|
## What the error looks like
|
|
|
|
When running `sudo apt update`:
|
|
|
|
```console
|
|
$ sudo apt update
|
|
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
|
|
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
|
|
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
|
|
Hit:4 http://archive.raspberrypi.org/debian bullseye InRelease
|
|
Get:5 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15,0 kB]
|
|
Err:1 http://httpredir.debian.org/debian bullseye-backports InRelease
|
|
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
|
|
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
|
|
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
|
|
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
|
|
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
|
|
Reading package lists... Done
|
|
W: GPG error: http://httpredir.debian.org/debian bullseye-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
|
|
E: The repository 'http://httpredir.debian.org/debian bullseye-backports InRelease' is not signed.
|
|
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
|
|
N: See apt-secure(8) manpage for repository creation and user configuration details.
|
|
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
|
|
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
|
|
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
|
|
N: See apt-secure(8) manpage for repository creation and user configuration details.
|
|
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
|
|
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
|
|
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
|
|
N: See apt-secure(8) manpage for repository creation and user configuration details.
|
|
```
|
|
|
|
## Obtain the keys
|
|
|
|
```console
|
|
$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
|
|
gpg: keybox '/home/pi-star/.gnupg/pubring.kbx' created
|
|
gpg: /home/pi-star/.gnupg/trustdb.gpg: trustdb created
|
|
gpg: key A48449044AAD5C5D: public key "Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
|
|
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
|
|
gpg: key B7C5D7D6350947F8: public key "Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>" imported
|
|
gpg: key 73A4F27B8DD47936: public key "Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>" imported
|
|
gpg: Total number processed: 4
|
|
gpg: imported: 4
|
|
```
|
|
|
|
## Import the keys
|
|
|
|
This still works, though, there is a [better method](https://stackoverflow.com/a/71384057)
|
|
for future encounters.
|
|
|
|
```console
|
|
$ gpg -a --export 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853 | sudo apt-key add -
|
|
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
|
|
OK
|
|
```
|
|
|
|
## The resulting update process
|
|
|
|
```console
|
|
$ sudo apt update
|
|
Get:1 http://httpredir.debian.org/debian bullseye-backports InRelease [49,0 kB]
|
|
Hit:2 http://raspbian.raspberrypi.org/raspbian bullseye InRelease
|
|
Get:3 http://security.debian.org/debian-security bullseye-security InRelease [48,4 kB]
|
|
Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44,1 kB]
|
|
Hit:5 http://archive.raspberrypi.org/debian bullseye InRelease
|
|
Get:6 http://httpredir.debian.org/debian bullseye-backports/main armhf Packages [415 kB]
|
|
Get:7 http://httpredir.debian.org/debian bullseye-backports/main Translation-en [353 kB]
|
|
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [248 kB]
|
|
Get:9 http://security.debian.org/debian-security bullseye-security/main Translation-en [164 kB]
|
|
Get:10 http://httpredir.debian.org/debian bullseye-backports/contrib armhf Packages [4.680 B]
|
|
Get:11 http://httpredir.debian.org/debian bullseye-backports/contrib Translation-en [5.984 B]
|
|
Get:12 http://httpredir.debian.org/debian bullseye-backports/non-free armhf Packages [9.072 B]
|
|
Get:13 http://httpredir.debian.org/debian bullseye-backports/non-free Translation-en [27,7 kB]
|
|
Get:14 http://security.debian.org/debian-security bullseye-security/non-free Translation-en [464 B]
|
|
Get:15 http://deb.debian.org/debian bullseye-updates/main armhf Packages [14,7 kB]
|
|
Get:16 http://deb.debian.org/debian bullseye-updates/main Translation-en [9.964 B]
|
|
Fetched 1.253 kB in 4s (282 kB/s)
|
|
Reading package lists... Done
|
|
Building dependency tree... Done
|
|
Reading state information... Done
|
|
All packages are up to date.
|
|
```
|
|
|
|
## Another way (quicker) but untested
|
|
|
|
This should also work like the above (until <abbr title="End of life">EOL</abbr> of `apt-key`).
|
|
|
|
```console
|
|
$ apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 0E98404D386FA1D9 6ED0E7B82643E131 112695A0E562B32A 54404762BBB6E853
|
|
```
|
|
|
|
## Final words
|
|
|
|
I got that feeling: the next time I'd need this, `apt-key` will not work and got fully replaced
|
|
by signing keys in <kbd>/etc/apt/keyrings</kbd>...
|
|
|
|
Inspired by this post: <https://superuser.com/a/1485255>
|
|
|
|
As the default keyserver strips user-ids they cannot imported without
|
|
the `--keyserver` switch.
|