Fix Missing GPG Key Apt Repository Errors (NO_PUBKEY)

Fix apt update GPG error NO_PUBKEY

You might see a missing public GPG key error ("NO_PUBKEY") on Debian, Ubuntu or Linux Mint when running apt update / apt-get update. This can happen when you add a repository, and you forget to add its public key, or maybe there was a temporary key server error when trying to import the GPG key.

When running an apt update / apt-get update, or trying to refresh the software sources using some GUI tool, apt will complain about not being able to download all repository indexes, showing errors like this:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ppa.launchpad.net/linuxuprising/apps/ubuntu bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8CACC073C3DB2A

W: Failed to fetch http://ppa.launchpad.net/linuxuprising/apps/ubuntu/dists/bionic/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EA8CACC073C3DB2A

W: Some index files failed to download. They have been ignored, or old ones used instead.

This is just an example. This error can occur not only with Launchpad PPA repositories, but any repository, like those provided by Google, Vivaldi or Node.js, etc.

The error message says that the repository is not updated, and the previous index files will be used. That means you won't receive updates from that repository, so you should import the public GPG key to fix this issue.

This is how to easily fix the The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ... error. It should work on Debian, Ubuntu, Linux Mint, Pop!_OS, elementary OS, and any other Linux distribution based on Debian or Ubuntu.

Solution 1: Quick NO_PUBKEY fix for a single repository / key.

If you're only missing one public GPG repository key, you can run this command on your Ubuntu / Linux Mint / Pop!_OS / Debian system to fix it:

sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys THE_MISSING_KEY_HERE

You'll have to replace THE_MISSING_KEY_HERE with the missing GPG key. The key is shown in the apt update / apt-get update log, after NO_PUBKEY. For example, in the error message I posted above, the missing GPG key that must be used in this command is EA8CACC073C3DB2A.

Also see: How To Fix "Could not get lock /var/lib/dpkg/lock - open (11 Resource temporarily unavailable)" Errors

Solution 2: Batch import all missing GPG keys.

When you're missing multiple public OpenPGP keys you can use a this one-liner to import all of them in one go:

sudo apt update 2>&1 1>/dev/null | sed -ne 's/.*NO_PUBKEY //p' | while read key; do if ! [[ ${keys[*]} =~ "$key" ]]; then sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys "$key"; keys+=("$key"); fi; done

There's no need to change any part of the command, just run it as is. This also works for fixing a single missing GPG key, but it's a bit redundant. Nonetheless, it works with any number of missing GPG keys.

The command runs sudo apt update to update your software sources and detect missing GPG keys, and it imports each missing key using hkp://pool.sks-keyservers.net:80 as its server. This server is synchronized with many other servers continuously, so it should have updated keys. You could use some other server if you wish.

The command also uses an array to store missing GPG keys for which we've already imported the key. Without that, the key import command would run twice for each missing key.

You might also be interested in: How To Make A PGP Key On Linux Using A GUI (And Publish It)