Ubuntu and update errors are inseparable. Every now and then I encounter errors while updating the system after adding a new source. The other day I was trying to install Mate desktop environment when I got this GPG error while updating the system:
W: GPG error: http://repo.mate-desktop.org saucy InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 68980A0EA10B4DE8
Here’s a screenshot of the error:
In this quick post I’ll show you how to fix this W: GPG error: The following signatures couldn’t be verified because the public key is not available: NO error. I’ll also explain why you see this error in the first place and how the solution I mention fixes the error.
Fix GPG error: The following signatures couldn’t be verified
The error tells you that your system cannot identify a certain GPG public key (PUBKEY). What you need to do is to fetch this public key in the system.
Get the key number from the error message displayed on your system. In the above message, the unidentified key is 68980A0EA10B4DE8. It will be something different for you.
Now add this public key to your Ubuntu system using the apt-key command:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 68980A0EA10B4DE8
If you see a warning message about apt-key command being deprecated, please ignore it.
The above command will add the key to the system. Just do an sudo apt-get update and you should not see this error anymore.
Now that you know how to fix this error, learn why this error occurs and how it was fixed.
Why do you see this error?
The APT package manager on Ubuntu and Debian-based distributions employs a trust/security mechanism with GPG. Like SSH, GPG also has public-private key pair. Public key is shared and private key is kept secret.
Every repository, be it from Ubuntu itself or a PPA or a third party repository, is signed with GPG keys by its developer. When you add a repository to your system, the public GPG key of its developer is added in trusted GPG keys on your system. This ensures that your Linux system trusts the packages coming from the repository.
You can see the GPG keys stored on your system using this command:
As you can see in the screenshot above, some GPG keys also have expiry dates. If the developer doesn’t renew his/her keys or if the developer changes the key, your system will complain about it.
And that’s exactly what happened in the error in my case. Probably the developer changed the GPG key and signed the repository with the new key. Since this new public key was not added in the trusted GPG key of the system, Ubuntu doesn’t download the packages from this particular repository and informs you that it could not verify the mentioned key.
So far, so good? Now, to solve the problem, what you did was to add the new, unverified key to your system’s trusted GPG key. With that, your system starts trusting the repositories signed by that GPG key and you don’t see the error anymore.
But that leaves you wondering with another question:
Should you blindly add the new GPG key?
Nope. You can always double check if the changed GPG key is actually coming from the developer or not.
How do you do that? From the developer’s repository page. I mean, usually developers have a page with this installation instructions on their project page. They mention the GPG key there. If the key was changed, the installation page should mention it. Otherwise, you may contact the developer.
If you used a PPA, you can go to the PPA page on Launchpad, click on the maintainer’s profile and you can see the public GPG key on this profile. You can match it with the changed key.
Of course, in all this, you are trusting the developer to provide you the correct repository and package. Well, you trusted the developer in the first place so unless you have good reasons against it, you may trust the developer again.
I hope you not only fixed the “The following signatures couldn’t be verified” error, you also know why it happened and how it was fixed.
Questions? Suggestions? The comment section is all yours.