Ubuntu and update errors are inseparable. Every now and then I encounter errors while updating the system after adding a new source. The other day I was trying to install Mate desktop environment when I got this GPG error while updating the system:
W: GPG error: http://repo.mate-desktop.org saucy InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 68980A0EA10B4DE8
Here’s a screenshot of the error:
In this quick post I’ll show you how to fix this W: GPG error: The following signatures couldn’t be verified because the public key is not available: NO error. I’ll also explain why you see this error in the first place and how the solution I mention fixes the error.
Fix GPG error: The following signatures couldn’t be verified
The error tells you that your system cannot identify a certain GPG public key (PUBKEY). What you need to do is to fetch this public key in the system.
Get the key number from the error message displayed on your system. In the above message, the unidentified key is 68980A0EA10B4DE8. It will be something different for you.
Now add this public key to your Ubuntu system using the apt-key command:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 68980A0EA10B4DE8If you see a warning message about apt-key command being deprecated, please ignore it.
The above command will add the key to the system. Just do an sudo apt-get update and you should not see this error anymore.
Now that you know how to fix this error, learn why this error occurs and how it was fixed.
Why do you see this error?
The APT package manager on Ubuntu and Debian-based distributions employs a trust/security mechanism with GPG. Like SSH, GPG also has public-private key pair. Public key is shared and private key is kept secret.
Every repository, be it from Ubuntu itself or a PPA or a third party repository, is signed with GPG keys by its developer. When you add a repository to your system, the public GPG key of its developer is added in trusted GPG keys on your system. This ensures that your Linux system trusts the packages coming from the repository.
You can see the GPG keys stored on your system using this command:
apt-key list
As you can see in the screenshot above, some GPG keys also have expiry dates. If the developer doesn’t renew his/her keys or if the developer changes the key, your system will complain about it.
And that’s exactly what happened in the error in my case. Probably the developer changed the GPG key and signed the repository with the new key. Since this new public key was not added in the trusted GPG key of the system, Ubuntu doesn’t download the packages from this particular repository and informs you that it could not verify the mentioned key.
So far, so good? Now, to solve the problem, what you did was to add the new, unverified key to your system’s trusted GPG key. With that, your system starts trusting the repositories signed by that GPG key and you don’t see the error anymore.
But that leaves you wondering with another question:
Should you blindly add the new GPG key?
Nope. You can always double check if the changed GPG key is actually coming from the developer or not.
How do you do that? From the developer’s repository page. I mean, usually developers have a page with this installation instructions on their project page. They mention the GPG key there. If the key was changed, the installation page should mention it. Otherwise, you may contact the developer.
If you used a PPA, you can go to the PPA page on Launchpad, click on the maintainer’s profile and you can see the public GPG key on this profile. You can match it with the changed key.
Of course, in all this, you are trusting the developer to provide you the correct repository and package. Well, you trusted the developer in the first place so unless you have good reasons against it, you may trust the developer again.
I hope you not only fixed the “The following signatures couldn’t be verified” error, you also know why it happened and how it was fixed.
Questions? Suggestions? The comment section is all yours.
W: GPG error: http://deb.i2p2.no unstable InRelease: The following signatures were invalid: EXPKEYSIG 67ECE5605BCF1346 I2P Debian Package Repository
E: The repository ‘http://deb.i2p2.no unstable InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
WHAT NOW ???
The keys used to sign the repository has been expired.
You can check the developer’s website and see there is any information on the updated GPG key.
I can see some information on downloading the Key and installing it here: https://deb.i2p2.de/
I have found your explanations and the solutions you provide very helpful. Thank you very much.
Glad you liked it, Mark :)
I cannot fix my issue, please help me it’s been several hours.
I get this when running apt-update in my Kali Linux.
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY ED444FF07D8D0BF6
I’ve tried several things.
Like:
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys ED444FF07D8D0BF6
and many other ways.
Please help me with this.
Thanks! :)
Which repository does it complain about? You may have to get the GPG key from that repository, instead of getting it from Ubuntu’s repositories.
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 6ED91CA3AC1160CD
Executing: /tmp/apt-key-gpghome.5R1zQLLPot/gpg.1.sh –keyserver keyserver.ubuntu.com –recv-keys 6ED91CA3AC1160CD
gpg: key DDCAE044F796ECB0: “NVIDIA CORPORATION (Open Source Projects) ” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
#####Nothing change what should I do? :)
sudo apt-get update
Hit:1 http://tr.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://tr.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu focal InRelease
Hit:4 http://tr.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:6 http://ppa.launchpad.net/oibaf/graphics-drivers/ubuntu focal InRelease
Hit:7 https://nvidia.github.io/libnvidia-container/experimental/ubuntu18.04/amd64 InRelease
Hit:8 https://storage.googleapis.com/bazel-apt stable InRelease
Hit:9 https://brave-browser-apt-release.s3.brave.com stable InRelease
Hit:10 https://download.docker.com/linux/ubuntu focal InRelease
Get:11 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:12 https://nvidia.github.io/nvidia-container-runtime/experimental/ubuntu18.04/amd64 InRelease [1,149 B]
Ign:13 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64 InRelease
Hit:14 http://repo.ros2.org/ubuntu/main focal InRelease
Hit:15 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64 Release
Get:5 https://mirrors.nxthost.com/ctan/systems/win32/miktex/setup/deb focal InRelease [2,029 B]
Hit:16 https://nvidia.github.io/libnvidia-container/stable/ubuntu18.04/amd64 InRelease
Hit:17 https://nvidia.github.io/nvidia-container-runtime/stable/ubuntu18.04/amd64 InRelease
Err:12 https://nvidia.github.io/nvidia-container-runtime/experimental/ubuntu18.04/amd64 InRelease
The following signatures were invalid: EXPKEYSIG 6ED91CA3AC1160CD NVIDIA CORPORATION (Open Source Projects)
Hit:18 https://nvidia.github.io/nvidia-docker/ubuntu18.04/amd64 InRelease
Hit:20 https://download.sublimetext.com apt/dev/ InRelease
Hit:21 http://packages.ros.org/ros2/ubuntu focal InRelease
Get:23 http://security.ubuntu.com/ubuntu focal-security/main amd64 DEP-11 Metadata [24.5 kB]
Get:24 http://security.ubuntu.com/ubuntu focal-security/universe amd64 DEP-11 Metadata [60.9 kB]
Get:25 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 DEP-11 Metadata [2,468 B]
Hit:22 https://packagecloud.io/dirk-thomas/colcon/ubuntu focal InRelease
Hit:26 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease
Reading package lists… Done
W: GPG error: https://nvidia.github.io/nvidia-container-runtime/experimental/ubuntu18.04/amd64 InRelease: The following signatures were invalid: EXPKEYSIG 6ED91CA3AC1160CD NVIDIA CORPORATION (Open Source Projects)
E: The repository ‘https://nvidia.github.io/nvidia-container-runtime/experimental/ubuntu18.04/amd64 InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Skipping acquire of configured file ‘universe/binary-i386/Packages’ as repository ‘http://miktex.org/download/ubuntu focal InRelease’ doesn’t support architecture ‘i386’
Seems GPG key of Nvidia repository expired. You can add it again:
curl -s -L https://nvidia.github.io/nvidia-container-runtime/gpgkey | sudo apt-key add –