Previous INDEX Next
X problems across OpenSSH CVS and a bad memory

Debian apt-get - no public key

While performing an apt-get update in February, I was presented with the error message: 

  GPG error: http://ftp.uk.debian.org testing Release: The following
  signatures couldn't be verified because the public key is not
  available: NO_PUBKEY 010908312D230C5F

It appears I had upgraded, at some time in the recent past, to a version of apt-get that supports verifying signed apt repositories. See this Debian security announcement and this Debian SecureApt wiki entry. The existing public key for the apt archives, presumably acquired at the same time as the updated apt-get, had expired. The list of apt-get keys can be viewed with the apt-key list command.

The following magic incantation (stolen from Serendipitous Altruism) fixed the problem for me. 

# gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 010908312D230C5F
# gpg --armor --export 2D230C5F | apt-key add -

The first command line imports the missing Debian archive key (using the key id complained about by apt-get) from a keyserver. A list of public key servers can be found on David Ross's site. The key is stored locally in the gpg public keyring.

You can see the list of keys held with the following command: 

# gpg --list-keys

which on my machine produces the following output: 

/root/.gnupg/pubring.gpg
------------------------
pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid                  Debian Archive Automatic Signing Key (2006)  <ftpmaster@debian.org>

The second line of the magic incantation exports this key (which now appears to be identified by the last eight digits of the key id) into apt-key, which makes the key available to apt-get.

apt-key list now gives the following output: 

/etc/apt/trusted.gpg
--------------------
pub   1024R/1DB114E0 2004-01-15 [expired: 2005-01-27]
uid                  Debian Archive Automatic Signing Key (2004) <ftpmaster@debian.org>

pub   1024D/4F368D5D 2005-01-31 [expired: 2006-01-31]
uid                  Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

pub   1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
uid                  Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

Addendum 5th March, 2009

It appears there is a much simpler way to get the current debian archive keys, namely: 

  apt-get install debian-archive-keyring

And I would have known this earlier, had I read properly the wiki entry I referred to above!

Previous INDEX Next
X problems across OpenSSH CVS and a bad memory

GNU/Linux Logo