apt 的 invalid signatures / public key is not available (NO_PUBKEY/EXPKEYSIG/KEYEXPIRED) 問題處理方式

症狀 – apt / apt-get 操作時出現以下錯誤:

Err:4 https://dl.winehq.org/wine-builds/ubuntu xenial InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
Reading package lists... Done
W: GPG error: https://dl.winehq.org/wine-builds/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
E: The repository 'https://dl.winehq.org/wine-builds/ubuntu xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org/torproject.org bionic InRelease: The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/bionic/InRelease  The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Some index files failed to download. They have been ignored, or old ones used instead.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7F438280EF8D349F
W: Failed to fetch http://apt.puppetlabs.com/dists/trusty/Release
W: Some index files failed to download. They have been ignored, or old ones used instead.

可以看到上面缺的 key 分別是 76F1A20FF987672F74A941BA219EC8107F438280EF8D349F ,這種情況有可能是新增了新的 apt repository 但沒有對應的 key,或是舊有的 apt repository 所使用的 key已經過期了

通常可以到對應軟體提供者的網站上找到正確的 key ,並放到 /etc/apt/trusted.gpg 這個檔案、或 /etc/apt/trusted.gpg.d 目錄下,或是透過 apt-key 的指令從 keyserver 進行下載匯入,像是這樣(以 Yarn 和 Google Cloud 的套件庫為例):

  • curl -sS https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
  • curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -

我們也可以透過將有問題/闕漏的 key 直接拿去問 OpenPGP keyserver ,透過 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys XXXXXXXX 的指令,像這樣:

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
Executing: /tmp/apt-key-gpghome.VyE6MFMrnc/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
gpg: key 7F438280EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
Executing: /tmp/apt-key-gpghome.lRWvuhWnPw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1

已經過期的 key 話也可以透過 apt-key list | grep -A2 -B2 "expired:" 來確認,會得到類似下面這樣的結果,斜線後面那串就是可以拿來操作的 Key ID:

$ apt-key list | grep "expired:"
pub   rsa4096 2017-01-17 [SC] [expired: 2019-01-17]
       6BA2 B0F3 B8B0 6169 7E98  ADFA 6D37 89ED C340 1E12
 uid           [ expired] Vivaldi Package Composer KEY03 [email protected]

pub   rsa4096 2014-01-13 [SCEA] [expired: 2019-01-12]
       418A 7F2F B0E1 E6E7 EABF  6FE8 C2E7 3424 D590 97AB
 uid           [ expired] packagecloud ops (production key) [email protected]

處理過期的 key 還有一招是透過 apt-key 指令從 keyserver 更新所有 key :

$ sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com
Executing: /tmp/apt-key-gpghome.wH5guYWzuH/gpg.1.sh --refresh-keys --keyserver keyserver.ubuntu.com
 gpg: refreshing 5 keys from hkp://keyserver.ubuntu.com
 gpg: key EB3E94ADBE1229CF: "Microsoft (Release signing) [email protected]" not changed
 gpg: key EE8CBC9E886DDD89: "deb.torproject.org archive signing key" 5 new signatures
 gpg: key 379CE192D401AB61: "Bintray (by JFrog) [email protected]" not changed
 gpg: key 82B129927FA3303E: "Raspberry Pi Archive Signing Key" not changed
 gpg: key 9165938D90FDDD2E: "Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) [email protected]" not changed
 gpg: Total number processed: 5
 gpg:              unchanged: 4
 gpg:         new signatures: 5

不過因為 apt-key 無法幫我們檢查這把 key 到底是不是確實屬於對應的套件維護者,這些資訊還是要從軟體提供者那邊確認以策安全

另外有些少數情況,金鑰已經過期了,但套件維護者也忘了更新,那上面的動作就不會有效果了

註:另一組常見、常用的 keyserver 是 pool.sks-keyservers.net ,如果有遇到 keyserver.ubuntu.com 剛好不能用的情況時也可以改用這一組


發表迴響