Debmirror problem: gpgv: Can’t check signature: public key not found

1 minute read

Debmirror problem


I have a mirror where  Debian and Ubuntu packages are hosted, so people in the internal network can upgrade their software using this mirror. But the other day I realized it couldn’t sync against the Debian mirror, as described in the article How to build Debian and Ubuntu mirrors using debmirror. When I tried to run the sync script I got an error and it exited with errors.

Symptoms

When running debmirror script, it fails with a error similar to this one:

gpgv: Signature made Wed 17 Jul 2013 04:40:31 PM CST using RSA key ID 473041FA
[GNUPG:] ERRSIG AED4B06F473041FA 1 2 00 1374050431 9
[GNUPG:] NO_PUBKEY AED4B06F473041FA
gpgv: Can’t check signature: public key not found
gpgv: Signature made Wed 17 Jul 2013 04:40:31 PM CST using RSA key ID 46925553
[GNUPG:] ERRSIG 8B48AD6246925553 1 2 00 1374050431 9
[GNUPG:] NO_PUBKEY 8B48AD6246925553
gpgv: Can’t check signature: public key not found
Release signature does not verify

Cause

Packages are validated using a key, so we can trust what we are downloading from the source repo and what will installed on our computers. Some repositories have a keyring with known keys, and it’s likely that a new key signature was added to the Debian/Ubuntu keyring. This can occur  if there is new distro version, and new keys were added, making our keyring out of date (the new keys are missing).

Solution

In order to fix this issue, follow the next steps depending on the distro you are mirroring:

Debian

Update the repository and import the new keys:

aptitude update
aptitude safe-upgrade
gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg  --export | gpg --no-default-keyring --keyring /var/data/keyrings/debian/trustedkeys.gpg --import

Side note: If no keys were added, download the latest debian-archive-keyring package from the repositories, extract it and use those keyrings. Example:

wget http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2012.4_all.deb
dpkg -x debian-archive-keyring_2012.4_all.deb  ~
gpg --keyring ~/usr/share/keyrings/debian-archive-keyring.gpg  --export | gpg --no-default-keyring --keyring /var/data/keyrings/debian/trustedkeys.gpg --import

Ubuntu

Download the latest ubuntu-archive-keyring package and extract it,  later use the those keyrings . Example:

wget http://mirror.pnl.gov/ubuntu//pool/main/u/ubuntu-keyring/ubuntu-keyring_2012.05.19_all.deb
dpkg -x ubuntu-keyring_2012.05.19_all.deb ~
gpg --keyring ~/usr/share/keyrings/ubuntu-archive-keyring.gpg --export|gpg --no-default-keyring --keyring /var/data/keyrings/ubuntu/trustedkeys.gpg --import

After this procedure, the sync script will run without problems and it will downloaded the latest updates.

Leave a Comment