How to Fix “The following signatures couldn’t be verified” Error in Ubuntu Linux

Ubuntu and update errors are inseparable. Every now and then I encounter errors while updating the system after adding a new source. The other day I was trying to install Mate desktop environment when I got this GPG error while updating the system:

W: GPG error: http://repo.mate-desktop.org saucy InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 68980A0EA10B4DE8

Here’s a screenshot of the error:

W GPG Error The following signatures couldn't be verified because the public key is not available:

In this quick post I’ll show you how to fix this W: GPG error: The following signatures couldn’t be verified because the public key is not available: NO error. I’ll also explain why you see this error in the first place and how the solution I mention fixes the error.

Fix GPG error: The following signatures couldn’t be verified

The error tells you that your system cannot identify a certain GPG public key (PUBKEY). What you need to do is to fetch this public key in the system.

Get the key number from the error message displayed on your system. In the above message, the unidentified key is 68980A0EA10B4DE8. It will be something different for you.

Now add this public key to your Ubuntu system using the apt-key command:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 68980A0EA10B4DE8

If you see a warning message about apt-key command being deprecated, please ignore it.

The above command will add the key to the system. Just do an sudo apt-get update and you should not see this error anymore.

Now that you know how to fix this error, learn why this error occurs and how it was fixed.

Why do you see this error?

The APT package manager on Ubuntu and Debian-based distributions employs a trust/security mechanism with GPG. Like SSH, GPG also has public-private key pair. Public key is shared and private key is kept secret.

Every repository, be it from Ubuntu itself or a PPA or a third party repository, is signed with GPG keys by its developer. When you add a repository to your system, the public GPG key of its developer is added in trusted GPG keys on your system. This ensures that your Linux system trusts the packages coming from the repository.

You can see the GPG keys stored on your system using this command:

apt-key list
list apt key gpg ubuntu
GPG keys added to my Ubuntu system

As you can see in the screenshot above, some GPG keys also have expiry dates. If the developer doesn’t renew his/her keys or if the developer changes the key, your system will complain about it.

And that’s exactly what happened in the error in my case. Probably the developer changed the GPG key and signed the repository with the new key. Since this new public key was not added in the trusted GPG key of the system, Ubuntu doesn’t download the packages from this particular repository and informs you that it could not verify the mentioned key.

So far, so good? Now, to solve the problem, what you did was to add the new, unverified key to your system’s trusted GPG key. With that, your system starts trusting the repositories signed by that GPG key and you don’t see the error anymore.

But that leaves you wondering with another question:

Should you blindly add the new GPG key?

Nope. You can always double check if the changed GPG key is actually coming from the developer or not.

How do you do that? From the developer’s repository page. I mean, usually developers have a page with this installation instructions on their project page. They mention the GPG key there. If the key was changed, the installation page should mention it. Otherwise, you may contact the developer.

If you used a PPA, you can go to the PPA page on Launchpad, click on the maintainer’s profile and you can see the public GPG key on this profile. You can match it with the changed key.

Of course, in all this, you are trusting the developer to provide you the correct repository and package. Well, you trusted the developer in the first place so unless you have good reasons against it, you may trust the developer again.

I hope you not only fixed the “The following signatures couldn’t be verified” error, you also know why it happened and how it was fixed.

Questions? Suggestions? The comment section is all yours.

Similar Posts

  • Hello, thank you for your tutorial.
    Apparently the apt-key key management utility has been deprecated.

    I tried to “apt-key del C99B11DEB97541F0
    Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

    Do you know of a workaround for this?

    Thank you very much.

      • Hello Abhishek,
        Thank you.

        This is the output when I run the command from the tutorial to remove the key.

        sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys C99B11DEB97541F0

        Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
        Executing: /tmp/apt-key-gpghome.DIdxt3Jtlr/gpg.1.sh –keyserver keyserver.ubuntu.com –recv-keys C99B11DEB97541F0
        gpg: key C99B11DEB97541F0: public key “Nate Smith ” imported
        gpg: Total number processed: 1
        gpg: imported: 1
        [email protected]:~#

        If I do apt-key list I get this output

        Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
        /etc/apt/trusted.gpg
        ——————–
        pub dsa1024 2007-03-08 [SC]
        4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
        uid [ unknown] Google, Inc. Linux Package Signing Key
        sub elg2048 2007-03-08 [E]

        pub rsa4096 2016-04-12 [SC]
        EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
        uid [ unknown] Google Inc. (Linux Packages Signing Authority)
        sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]

        pub rsa3072 2020-09-02 [SC] [expired: 2022-09-02]
        2CA3 2056 ED20 6CB8 1F44 A8CA C99B 11DE B975 41F0
        uid [ expired] Nate Smith

        /etc/apt/trusted.gpg.d/ansible-ubuntu-ansible.gpg
        ————————————————-
        pub rsa4096 2014-06-10 [SC]
        6125 E2A8 C77F 2818 FB7B D15B 93C4 A3FD 7BB9 C367
        uid [ unknown] Launchpad PPA for Ansible, Inc.

        /etc/apt/trusted.gpg.d/apandada1-ubuntu-xournalpp-stable.gpg
        ————————————————————
        pub rsa1024 2013-03-25 [SC]
        95AC DEBD 8BFF 99AB E0F2 6A49 A507 B2BB A780 3E3B
        uid [ unknown] Launchpad PPA for Archisman Panigrahi

        /etc/apt/trusted.gpg.d/bablu-boy-ubuntu-nutty_0_1.gpg
        —————————————————–
        pub rsa4096 2015-07-13 [SC]
        6799 5A98 0C0F 7407 16B3 3F4B C323 4B38 19D5 2D77
        uid [ unknown] Launchpad PPA for Siddhartha Das

        /etc/apt/trusted.gpg.d/doctormo-ubuntu-wacom-plus.gpg
        —————————————————–
        pub rsa1024 2009-01-21 [SC]
        C7B9 C502 74F4 E032 B70A B2EA 15A5 79BF 1136 59DF
        uid [ unknown] Launchpad PPA for Martin Owens

        /etc/apt/trusted.gpg.d/git-core-ubuntu-ppa.gpg
        ———————————————-
        pub rsa1024 2009-01-22 [SC]
        E1DD 2702 88B4 E603 0699 E45F A171 5D88 E1DF 1F24
        uid [ unknown] Launchpad PPA for Ubuntu Git Maintainers

        /etc/apt/trusted.gpg.d/google-chrome.gpg
        —————————————-
        pub rsa4096 2016-04-12 [SC]
        EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
        uid [ unknown] Google Inc. (Linux Packages Signing Authority)
        sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]

        /etc/apt/trusted.gpg.d/gwibber-daily-ubuntu-ppa.gpg
        —————————————————
        pub rsa1024 2009-02-06 [SC]
        06D1 ED00 EB80 2A66 6406 96C8 D0AF F968 72D3 40A3
        uid [ unknown] Launchpad PPA for gwibber-daily

        /etc/apt/trusted.gpg.d/hluk-ubuntu-copyq.gpg
        ——————————————–
        pub rsa4096 2017-03-10 [SC]
        407D CF21 58B8 4056 D11B BC94 4F0B 2F06 AA07 D22F
        uid [ unknown] Launchpad PPA for Lukas Holecek

        /etc/apt/trusted.gpg.d/microsoft-prod.gpg
        —————————————–
        pub rsa2048 2015-10-28 [SC]
        BC52 8686 B50D 79E3 39D3 721C EB3E 94AD BE12 29CF
        uid [ unknown] Microsoft (Release signing)

        /etc/apt/trusted.gpg.d/smoser-ubuntu-bluetooth.gpg
        ————————————————–
        pub rsa1024 2009-10-27 [SC]
        B59D 5F15 97A5 04B7 E230 6DCA 0620 BBCF 0368 3F77
        uid [ unknown] Launchpad PPA for Scott Moser

        /etc/apt/trusted.gpg.d/tualatrix-ubuntu-next.gpg
        ————————————————
        pub rsa1024 2009-01-19 [SC]
        FE85 409E EAB4 0ECC B657 4081 6AF0 E194 0624 A220
        uid [ unknown] Launchpad PPA for TualatriX

        /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
        ——————————————————
        pub rsa4096 2012-05-11 [SC]
        8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
        uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012)

        /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
        ——————————————————
        pub rsa4096 2018-09-17 [SC]
        F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
        uid [ unknown] Ubuntu Archive Automatic Signing Key (2018)

        What I notice is that the key in question has been removed.

        So thank you.

      • Hello again Abhisek,

        I just did a check again as I am attempting to upgrade a Ubuntu distro ( 21.04 ) and when I do so I am still getting an error message about the key I thought was deleted.
        Can you suggest why this is still appearing and maybe how to
        correct it?

        Here is the output: Thank you for any assistance.

        W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG C99B11DEB97541F0 Nate Smith

        E: The repository ‘https://cli.github.com/packages stable InRelease’ is not signed.
        N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
        N: See apt-secure(8) manpage for repository creation and user configuration details.
        E: The repository ‘http://mirrors.kernel.org/ubuntu ./ Release’ does not have a Release file.
        N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
        N: See apt-secure(8) manpage for repository creation and user configuration details.
        E: The repository ‘http://ppa.launchpad.net/bablu-boy/nutty.0.1/ubuntu hirsute Release’ does not have a Release file.
        N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
        N: See apt-secure(8) manpage for repository creation and user configuration details.
        W: Target Sources (restricted/source/Sources) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:6
        W: Target Sources (main/source/Sources) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:6
        W: Target Sources (restricted/source/Sources) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:6
        W: Target Sources (main/source/Sources) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list:6

        • Ubuntu 21.04 has been discontinued since the beginning of this year. This is why you see those “does not have a release file” errors.

          For the “configured multiple times”, it means that you changed the sources.list file and added the same entries multiple times.

          If it’s not an issue, copy the data on an external disk and fresh install Ubuntu 22.04.