症狀 – apt / apt-get 操作時出現以下錯誤:
Err:4 https://dl.winehq.org/wine-builds/ubuntu xenial InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
Reading package lists... Done
W: GPG error: https://dl.winehq.org/wine-builds/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
E: The repository 'https://dl.winehq.org/wine-builds/ubuntu xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org/torproject.org bionic InRelease: The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/bionic/InRelease The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key
W: Some index files failed to download. They have been ignored, or old ones used instead.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.puppetlabs.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7F438280EF8D349F
W: Failed to fetch http://apt.puppetlabs.com/dists/trusty/Release
W: Some index files failed to download. They have been ignored, or old ones used instead.
可以看到上面缺的 key 分別是 76F1A20FF987672F
、74A941BA219EC810
和 7F438280EF8D349F
,這種情況有可能是新增了新的 apt repository 但沒有對應的 key,或是舊有的 apt repository 所使用的 key已經過期了
通常可以到對應軟體提供者的網站上找到正確的 key ,並放到 /etc/apt/trusted.gpg
這個檔案、或 /etc/apt/trusted.gpg.d
目錄下,或是透過 apt-key
的指令從 keyserver 進行下載匯入,像是這樣(以 Yarn 和 Google Cloud 的套件庫為例):
curl -sS https://packages.cloud.google.com/apt/doc/apt-key.gpg |
sudo
apt-key add -curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
我們也可以透過將有問題/闕漏的 key 直接拿去問 OpenPGP keyserver ,透過 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys XXXXXXXX
的指令,像這樣:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
Executing: /tmp/apt-key-gpghome.VyE6MFMrnc/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 7F438280EF8D349F
gpg: key 7F438280EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
Executing: /tmp/apt-key-gpghome.lRWvuhWnPw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 74A941BA219EC810
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: Total number processed: 1
gpg: imported: 1
已經過期的 key 話也可以透過 apt-key list | grep -A2 -B2 "expired:"
來確認,會得到類似下面這樣的結果,斜線後面那串就是可以拿來操作的 Key ID:
$ apt-key list | grep "expired:"
pub rsa4096 2017-01-17 [SC] [expired: 2019-01-17]
6BA2 B0F3 B8B0 6169 7E98 ADFA 6D37 89ED C340 1E12
uid [ expired] Vivaldi Package Composer KEY03 packager@vivaldi.com
pub rsa4096 2014-01-13 [SCEA] [expired: 2019-01-12]
418A 7F2F B0E1 E6E7 EABF 6FE8 C2E7 3424 D590 97AB
uid [ expired] packagecloud ops (production key) ops@packagecloud.io
處理過期的 key 還有一招是透過 apt-key
指令從 keyserver 更新所有 key :
$ sudo apt-key adv --refresh-keys --keyserver keyserver.ubuntu.com
Executing: /tmp/apt-key-gpghome.wH5guYWzuH/gpg.1.sh --refresh-keys --keyserver keyserver.ubuntu.com
gpg: refreshing 5 keys from hkp://keyserver.ubuntu.com
gpg: key EB3E94ADBE1229CF: "Microsoft (Release signing) gpgsecurity@microsoft.com" not changed
gpg: key EE8CBC9E886DDD89: "deb.torproject.org archive signing key" 5 new signatures
gpg: key 379CE192D401AB61: "Bintray (by JFrog) bintray@bintray.com" not changed
gpg: key 82B129927FA3303E: "Raspberry Pi Archive Signing Key" not changed
gpg: key 9165938D90FDDD2E: "Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) mpthompson@gmail.com" not changed
gpg: Total number processed: 5
gpg: unchanged: 4
gpg: new signatures: 5
不過因為 apt-key 無法幫我們檢查這把 key 到底是不是確實屬於對應的套件維護者,這些資訊還是要從軟體提供者那邊確認以策安全
另外有些少數情況,金鑰已經過期了,但套件維護者也忘了更新,那上面的動作就不會有效果了
註:另一組常見、常用的 keyserver 是
,如果有遇到 pool.sks-keyservers.net
keyserver.ubuntu.com
剛好不能用的情況時也可以改用這一組