Home / ubuntu / Questions / 1222639
In Process
diogo
Asked: 2020-03-31 10:55:24 +0800 CST

gpg: 1 signature not checked due to a missing key

  • 772

Can't sudo apt-get update:

Ign:8 http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_16.04  Release.gpg
Reading package lists... Done    
W: GPG error: http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_16.04  Release: The following signatures were invalid: EXPKEYSIG 5A7D1D38BEB6D886 home:Horst3180 OBS Project <home:[email protected]>
E: The repository 'http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_16.04  Release' is not signed.

From numerous tries, I get 

1 signature not checked due to a missing key

My attempt is:

sudo apt-key adv --keyserver hkp://keys.gnupg.net:80 --recv-keys 5A7D1D38BEB6D886
Executing: /tmp/apt-key-gpghome.f5yVraTkTa/gpg.1.sh --keyserver hkp://keys.gnupg.net:80 --recv-keys 5A7D1D38BEB6D886
gpg: key 5A7D1D38BEB6D886: 1 signature not checked due to a missing key
gpg: key 5A7D1D38BEB6D886: "home:Horst3180 OBS Project <home:[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Am I getting closer? Other unfruitful attempts include:

  1. This command

    wget -nv http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_16.04/Release.key -O Release.key

sudo apt-key add - < Release.key

  2. software.opensuse.org

    sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/Horst3180/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/home:Horst3180.list"
wget -nv https://download.opensuse.org/repositories/home:Horst3180/xUbuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

  3. This command

    sudo rm /var/lib/apt/lists/* -vf

  4. This command

    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5A7D1D38BEB6D886

    returns

    Executing: /tmp/apt-key-gpghome.9tPKjtyC1E/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 5A7D1D38BEB6D886
gpg: keyserver receive failed: No keyserver available

Note that at Horst3180's Home Project, the GPG key 5A7D1D38BEB6D886 has the expiration date of 2019-10-02, so the key is no longer valid it seems.

apt gnupg keyserver

3 Answers

  1. In general, if the gpg key is expired there is nothing much you can do when you're not the owner of the repo, except trying to contact the administrator.

    If you trust this repo, or really need something from it and don't care much about this security feature, you may also skip the gpg check by adding the --allow-unauthenticated option to apt-get.

    Example: sudo apt-get --allow-unauthenticated update, sudo apt-get -y --allow-unauthenticated install foo.

    You can also make this option permanent by using your own config file at /etc/apt/apt.conf.d/ directory. In your conf file simply add APT::Get::AllowUnauthenticated "true"; stanza.

    Note: if choosing the permanent option, you should carefully add your options so this will take effect only on this specific repo and not every other repo, as it is considered a security risk.

    • 3

  2. The same error may also occur when the key is still valid. I have a Release.key that works fine on one ubuntu machine, but on another system

    apt-key add Release.key explodes with

     gpg: invalid key resource URL '/tmp/apt-key-gpghome.L3TpJ04C0i/isv:ownCloud:desktop.asc.gpg'
 gpg: keyblock resource '(null)': General error
 gpg: key 4ABE1AC7557BEFF9: 1 signature not checked due to a missing key
 gpg: key 4ABE1AC7557BEFF9: 1 signature not checked due to a missing key
 gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
 gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
 gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key
 gpg: Total number processed: 6
 gpg:       skipped new keys: 6

    But e.g. gpg --import < Release.key would nicely import the key. (That is good to know, but does not help with apt.)

    Manual workaround (would not work with an expired key, though):

    cat Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/owncloud-test.gpg

    Afterwards apt update and apt install ... succeed without any allow-unauthenticated trickery. It seems apt-key add is overly picky on one of my systems.

    • 0

  3. You can fix this issue by removing the problematic file. In my case, the error was gpg: invalid key resource URL '/tmp/apt-key-gpghome.HrtqocacFC/home:manuelschneid3r.asc.gpg'. A simple sudo rm "/etc/apt/trusted.gpg.d/home:manuelschneid3r.asc" fixed the issue.

    • 0