APT

Apt-get reports NO_PUBKEY gpg error for keys that are present in trusted.gpg.

Bug #1263540 reported by aslam karachiwala on 2013-12-22
376
This bug affects 94 people
Affects Status Importance Assigned to Milestone
APT
Fix Released
Unknown
apt (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 13.10
apt 0.9.9.1~ubuntu3

'apt-get update' has started showing several warnings like the following, even though the keys are present:

W: GPG error: http://us.archive.ubuntu.com saucy Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32

'apt-key list' shows the keys in question in its output...

pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 4096R/C0B21F32 2012-05-11
uid Ubuntu Archive Automatic Signing Key (2012) <email address hidden>

...and its output begins with the following:

gpg: keyblock resource `/etc/apt/trusted.gpg.d//webupd8team-y-ppa-manager.gpg': resource limit

I see the same gpg message when I manually update/remove/add the keys in question. E.g.:

$ sudo apt-key update
gpg: keyblock resource `/etc/apt/trusted.gpg.d//webupd8team-java.gpg': resource limit
gpg: keyblock resource `/etc/apt/trusted.gpg.d//webupd8team-y-ppa-manager.gpg': resource limit
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <email address hidden>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <email address hidden>" not changed
gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <email address hidden>" not changed
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <email address hidden>" not changed
gpg: Total number processed: 4
gpg: unchanged: 4

I asked about the "resource limit" message on the gnupg-users mailing list...
http://<email address hidden>/msg23300.html
Based on Werner Koch's (the dev) answer...
http://<email address hidden>/msg23302.html
...the secure apt related programs might be making gpg use more than the maximum number of keyrings that it can handle.

summary: - Apt-get reports NO_PUBKEY gpg error for key that are present in
+ Apt-get reports NO_PUBKEY gpg error for keys that are present in
trusted.gpg.
tags: added: gnupg
tags: added: apt secure-apt
description: updated
aslam karachiwala (akwala) wrote :

I saw the following while attempting to work around this issue:

1.
In addition to /etc/apt/trusted.gpg, each *.gpg file in /etc/apt/trusted.gpg.d/ is a separate keyring, often containing a single key for the corresponding repository. This could effectively limit the number of repos/packages one can have, if the total number of keyrings exceeds GnuPG's limit.

2.
Deleting a key ('apt-key del <keyID>'), or removing a repository (e.g., using Synaptic), removes the key from its keyring in /etc/apt/trusted.gpg.d/ but leaves the empty keyring in the location. After I removed the empty keyring files, the "resource limit" message did not appear and 'apt-get update' did not complain about "NO_PUBKEY." So, once GnuPG's maximum number of keyrings is reached, one has to manually remove the empty keyring files, in addition to removing package repositories, in order to avoid the "NO_PUBKEY" scenario.

Changed in apt:
status: Unknown → New
aslam karachiwala (akwala) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Katsiaris Simos (spider623) wrote :

fix it already, it really affects much more than just the desktop users

jorgehpm (jorgehpm) wrote :

The post from 4zika4 helps if you have repositories from the same origin (like noobslabs or such) but if that's not your case, the bug pretty mch stays :(

Ubuntu 14.04 fully up-to-date here:

Hi everyone, thanks to the help of user @TJ- on #ubuntu+1 we were able to discover that the issue I was getting is related to this bug:

[...]
Ign http://archive.ubuntu.com trusty-security/universe Translation-en_US
Fetched 4.737 B in 33s (141 B/s)
Reading package lists... Done
W: GPG error: http://archive.canonical.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
W: GPG error: http://extras.ubuntu.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 16126D3A3E5C1192
W: GPG error: http://archive.ubuntu.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
W: GPG error: http://archive.ubuntu.com trusty-updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
W: GPG error: http://archive.ubuntu.com trusty-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32
W: GPG error: http://archive.ubuntu.com trusty-security Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32

What I did:
1. sudo apt-get clean
2. sudo mv /var/lib/apt/lists /var/apt/lists.old
3. mkdir -p /var/lib/apt/lists/partial
4. sudo apt-get update

And got the same error so, next thing was trying to reinstall 'ubuntu-keyring': http://pastebin.com/Zr9TppeL

Other relevant info:
"07:32:49 TJ- | msx: The debian bug explains the issue ... too many keyrings being passed to gpg"
"07:35:23 TJ- | msx: Summary is, remove empty keyrings from "/etc/apt/trusted.gpg.d/"

Issue solved here.

ViBE (vibe) wrote :

i have the same problem with official and some 3rd party GPG keys on Ubuntu 14.04 x64.

Rik Mills (rikmills) wrote :

Now getting this after upgrade to Trusty.

spupuz@gmail.com (spupuz) wrote :

i have the same problem with official and some 3rd party GPG keys on Ubuntu 14.04 x86.

How does one find these empty keyrings?

aslam karachiwala (akwala) wrote :

> How does one find these empty keyrings?

These would be *.gpg files in /etc/apt/trusted.gpg.d/ that are empty (size=0) -- see comment #1.

Mark Rich (sir-marky) wrote :

Struggling from this problem all the time. Tried every solution I can find on the web but still get these errors.

Leandro Heck (leoheck) wrote :

I am having this problem too. Did someone already found the solution?

I know the last comment is a month old now, but google is still driving people here for an answer. I found this on the web:
http://www.namhuy.net/3116/how-to-fix-gpg-error-no_pubkey-in-ubuntu.html

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5

Run this command for each hex key you need to download. replace "40976EAF437D05B5" with the appropriate key.

I had to do it three times, but it worked for me.

Baobab (emil-bb) wrote :

I encountered the same problem. I solved this by

1) moving all the ppas from the folder /etc/apt/sources.list.d to the file /etc/apt/sources.list. I did this with the command:

pr -F *files > newfilepr -F *files > newfile

which combines all the sources.list files into one file. Some adaptation is needed.

2) removing *all* the files in /etc/apt/trustedgpg.d

then, I could add new keys to the keychain by issuing the “sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys **KEY_HERE**” command (look it up if you don't know it). Before that, it didn’t import the key. Hope this is helpfull to someone, it was a completely random move on my part, had no idea if it would work or not. It did :D

Mihara (medvedev) wrote :

The solution that worked for me was emptying /etc/apt/trusted.gpg.d, running apt-get update, and then manually adding every key it blocked on to the main /etc/apt/trusted.gpg keyring with apt-key adv as described above. Nothing else turned out to be necessary, you can leave the /etc/apt/sources.list.d/* where they are. There's probably a smoother way to consolidate all the keyrings in /etc/apt/trusted.gpg.d/* into the main one using gpg itself, however, that was quicker than writing a script.

I really shouldn't have to do this in the first place.

Changed in apt:
status: New → Fix Released

Deleting keys in gpg folder worked for me too.

RedScourge (redscourge) wrote :

14.04 LTS and 14.04.1 LTS x64 both present this error after fresh install, and again after adding the virtualbox repo.

W: GPG error: http://download.virtualbox.org trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54422A4B98AB5139
W: GPG error: http://extras.ubuntu.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 16126D3A3E5C1192

Bruno Nova (brunonova) wrote :

Also affected in 14.04. This bug should be of high importance.
This bug was fixed in Debian in version 1.1~exp4, but the version in sid is 1.0.9.3, so I think we will have to wait bit yet.

David Margrave (x-david-x) wrote :

yes empting /etc/apt/trusted.gpg.d directory worked for me as well.

very annoying how it silently choked on contents of that directory.

Ubuntu 14.10 32 bits

Description: Ubuntu 14.10
Release: 14.10
Codename: utopic

started to have same issue in this days...

apt:
  Installato: 1.0.9.2ubuntu2
  Candidato: 1.0.9.2ubuntu2
  Tabella versione:
 *** 1.0.9.2ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ utopic/main i386 Packages
        100 /var/lib/dpkg/status

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
assignee: nobody → Andi Rachman Fauzi (andirachmanfauzi)
assignee: Andi Rachman Fauzi (andirachmanfauzi) → nobody
EvilSupahFly (seann-giffin) wrote :

So, if I understand the response from the gpg-mailing-list correctly, the limit is 40 keys in total, essentially? Is there a way to increase that without mucking about with the source?

I started getting the "gpg: keyblock resource resource limit" error after adding a few testing PPAs related to Kali, but I don't have any zero-length files to remove as they are all in use.

To fix this, I guess I would have to remove the PPAs and their keys, or create some kind of specialized chroot or VM, which, I guess isn't so bad, really, but it's a bit of a pain.

aslam karachiwala (akwala) wrote :

>...the limit is 40 keys in total, essentially? Is there a way to increase that without mucking about with the source?
This is not a configurable limit AFAIK.

>...I don't have any zero-length files to remove as they are all in use.
I believe the bug that left the zero-length files upon deletion of PPAs was fixed a while back. More info in the upstream bug log:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733028

You may have multiple keyrings (*.gpg) with the same key if you have multiple PPAs that share the same key. You could delete all but one of such keyrings.

I looked at my /etc/apt/trusted.gpg.d and found only a handful of keyrings for debian/mozilla archives which I probably added. I'm on Ubuntu 14.04, so this issue appears to be fixed in this version.

Rael (rael-gc) wrote :

I just gone to /etc/apt/trusted.gpg.d and remove unused keys until I got below 40 keys. Then ran `sudo apt-get update` and fixed.

pst007x (turone) wrote :

 I deleted all the contents in /etc/apt/trusted.gpg.d/.

then run

sudo launchpad-getkeys - found here: http://www.webupd8.org/2010/05/automatically-import-all-missing.html
sudo apt-get update

.... this cleared the fault for me.

http://askubuntu.com/questions/608140/all-public-keys-are-missing-xubuntu-ubuntu-14-04

Lukasz Sanek (s4nk) wrote :

Seems like the problem still exists in Ubuntu 15.04 with apt 1.0.9.7ubuntu4 for amd64 compiled on Apr 7 2015 14:42:59

Comment #26 was the solution for me.

himanshu (himzzy4u) wrote :

Nothing works for me.. /etc/apt/trusted.gpg.d/ is already empty on a fresh 14.04 LTS..

aleandro (aleandrodasilva) wrote :

Ubuntu 14.04 LTS. Bug still present. It seems I have too many gpg keys (above 40). None of the reported solutions seems to solve even after deleting the entire gpg folder.

A. Eibach (andi3) wrote :

(comment 7)

I can't believe it! THAT'S MINE!!!

40976EAF437D05B5

As I thought that it could even be related to some local repo not updating their stuff in time (yes this happens sometimes in minor form), I chenged to fr. and ch. domains sequentially. To no avail at all.

Thanks for the idea to use the 'del' option in apt-key.

I can't believe that so many people have problems with this, and all that developers are (usually) raving about is whether Ubuntu should be verbose to the user about global hotkey assignments or not. Securtity paranoiacs, most of them, but if it comes to such basic-security issue as here, they just go 'shrug, works for me, you're just too daft'.

A. Eibach (andi3) wrote :

Ok, nuked /etc/apt/trusted.gpg and rebuilt is using

sudo apt-key update

YAY!!
That finally caused the error message of the very key 40976EAF437D05B5 to disappear. Good riddance. :P

A. Eibach (andi3) wrote :

AND TO EVERYBODY:

Please do NOT confuse the line

sudo apt-key update

with

sudo apt-get update

Always make sure you're referring to the one or the other.

QkiZ (qkiz) wrote :

Ubuntu 15.04, bug still exist

QkiZ (qkiz) wrote :

But trick with deleting /etc/apt/trusted.gpg and sudo apt-key update do the job. After that all missing keys are recovered via apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <keys id> command.

QkiZ (qkiz) wrote :

I have that error second time and previous trick did not help. Problem still exist.

Mark Fraser (launchpad-mfraz) wrote :

Just hit this bug in Kubuntu 16.04. Removing some old gpg files seems to have fixed it

Mark Fraser (launchpad-mfraz) wrote :

Sorry, meant to say 15.10 in the above comment.

Paddy Landau (paddy-landau) wrote :

This bug hit me two days ago. I am on Ubuntu 14.04 64-bit, which was fully updated until the problem started. The workaround, fortunately, has worked for me.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.