Fixing missing public keys during Debian package update

From time to time Debian users come across an error such as this while running apt-get update:

W: GPG error: ftp://ftp.debian.org testing Release:
The following signatures couldn't be verified
because the public key is not available:
NO_PUBKEY 010908312D230C5F
W: You may want to run apt-get update
to correct these problems

Why this happens: packages distributed with the Debian package network are digitally signed to ensure their authenticity, which is obviously a very good idea. Every now and then, the keys that are used to sign them are changed. The above message tells you that your local system has fallen behind and doesn’t have the latest key needed to verify them.

This is very easily fixed. First, you need to install a tool called “gnupg”, in case you don’t already have it. This is done from a console, as root:

apt-get install gnupg

Next, you need to use the GPG tool to get the key corresponding to that code. Sometimes there is more than one key involved, and therefore there are several different codes. Just repeat the following for each code.

In this example, the code would be 010908312D230C5F. So you run this:

gpg --keyserver keyring.debian.org --recv 010908312D230C5F

What this does is interrogate the server keyring.debian.org for the key with that code. That server is a keyserver, which means it’s a place where public GPG keys from all over the place are kept for exactly such purposes.

If it works, you should see something like this:

gpg: requesting key 2D230C5F from hkp server keyring.debian.org
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

If it doesn’t, you’ll be stuck on the first line (requesting…). Reasons it might not work: the keyserver is down, or perhaps your firewall or router is blocking the connection. For this to work you need to allow TCP connections to and from remote port 11371.

Second, once you got the key, you must tell apt to use it. This is done like this:

gpg --armor --export 010908312D230C5F | apt-key add -

If successfull, you’ll get a single line saying OK.

That’s it, now every time you run apt-get update, those annoying error messages will be gone.

If you want to know more about the whole GPG and keys business, please see the GnuPG Frequently Asked Questions.

If you’re on a machine whose firewall doesn’t allow access to a GPG repository, all is not lost. Go to a machine that can access it and request that the key be put into a file. Copy the file to the firewalled machine and pipe it to apt-key.

« Shell script for launching Firefox
Using the new Devil’s Pie s-expression configuration »