Computing and Networks

PPA Public Key Error

apt-get is a great tool.  It is awesome.  In fact coming from the days when compiling from source and installing was the only option, any good package management system as freaking AWESOME. (geez just had a flash back to the days of RPM dependency hell when Red Hat first rolled that out)

Though, every now and then I hit a snag when installing a new package, especially from a PPA.  The most common of these relate to security/verification using PKI.  to varify the authenticity of a package, usually you check the md5 hash and compare it with what the developer has published.  Canonical goes one step further and uses GPG (PGP) signing on packages in their repositories and those found in launchpad PPA repositories as well as hosting a key server (

Every so often this gets out of whack.  Keys expire, maintainers change or wrong phase of the moon and you end up with something resembling:

mike@obsidian:/etc/network$ sudo apt update
Get:14 yakkety InRelease [17.5 kB] 
Err:14 yakkety InRelease 
 The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9A2FD067A2E3EF7B
W: GPG error: yakkety InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9A2FD067A2E3EF7B
E: The repository ' yakkety InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Or better know as “splat”.  Like in any self respecting system, there are many ways to skin a cat depending on circumstances and personal preferences.  The easiest way I usually find to resolve PPA key issues with the most succes is to use the apt-key command.

mike@obsidian:~/$ sudo apt-key adv --keyserver --recv-keys 9A2FD067A2E3EF7B
Executing: /tmp/tmp.DSAfPm9NVu/ --keyserver
gpg: key 9A2FD067A2E3EF7B: public key "Launchpad PPA for GNS3" imported
gpg: Total number processed: 1

Of course a developer doesn’t have to use the Canonical key server.  They maybe using one of a myriad of trusted and secure key servers already to host their public key as shown in this example for an alternative way to import a key used for package signing.

:~/$sudo gpg –keyserver –recv-key <PUBKEY>
:~/$sudo gpg -a –export <PUBKEY> | sudo apt-key add –
:~/$sudo apt-get update

P.S.  We all should be using some sort of PKI for the transmission of data over the internet



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.