The officially official Devuan Forum!

kudlaty

Member

Registered: 2020-05-15

Posts: 3  

Can't update system due to NO_PUBKEY, common solutions don't work

Hello everyone!

tl;dr (because I tried being comprehensive and ended up producing a wall of text):
Several weeks ago I suddenly started missing public keys signing repositories (ascii), tried updating and importing the missing key as advised around the net but none of these solutions worked for me. Now I'm stuck with system I can't update and I don't like it but I don't know how to fix it.

The long version:
Several weeks ago I apparently started missing a PUBKEY. I wasn't actively messing with stuff in my system at the time, so it was a surprise. At first it only affected a single 3rd party repository (not the devuan one), so I thought "They probably screwed something up, or are switching to a new key - it will probably get fixed in a couple of days." Well, it didn't.

Some days later I noticed the same problem also affecting the devuan repository, and then another 3rd party repos (that's odd, right?) I waited for a couple of weeks in case the problem would go away automagically, but no luck! I can't update my system since then.

When I run sudo apt-get update the message reads:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BB23C00C61FC752C

The same applies to two other 3rd party repositories, and one more that now seems to have an expired key (EXPKEYSIG), probably a coincidence. But I still have three other 3rd party repositories that update fine, so I don't get what's going on here. O_o

After a bit of searching I found out people sometimes dealt with the same problem with NO_PUBKEY, and some good souls posted solutions online. But for some reason none of them worked for me. Which is disconcerting, especially now that there have been some important security updates. I'm just a desktop user, but still - I'd really prefer to have my system updated.

What I already tried (and it didn't help):

sudo apt-key update
Warning: 'apt-key update' is deprecated and should not be used anymore!
Note: In your distribution this command is a no-op and can therefore be removed safely.
sudo apt-key net-update

(the last one returns nothing)

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BB23C00C61FC752C
Executing: /tmp/user/0/apt-key-gpghome.z2yridEorz/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys BB23C00C61FC752C
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_get_keyblock failed: Value not found
gpg: [don't know]: invalid packet (ctb=2d)
gpg: /tmp/user/0/apt-key-gpghome.z2yridEorz/pubring.gpg: copy to '/tmp/user/0/apt-key-gpghome.z2yridEorz/pubring.gpg.tmp' failed: Invalid packet
gpg: error writing keyring '/tmp/user/0/apt-key-gpghome.z2yridEorz/pubring.gpg': Invalid packet
gpg: error reading '[stream]': Invalid packet
gpg: Total number processed: 0

sudo gpg -a --export BB23C00C61FC752C | sudo apt-key add -
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_get_keyblock failed: Value not found
gpg: [don't know]: invalid packet (ctb=2d)
gpg: /tmp/user/0/apt-key-gpghome.dIsrmYrlC3/pubring.gpg: copy to '/tmp/user/0/apt-key-gpghome.dIsrmYrlC3/pubring.gpg.tmp' failed: Invalid packet
gpg: error writing keyring '/tmp/user/0/apt-key-gpghome.dIsrmYrlC3/pubring.gpg': Invalid packet
gpg: error reading '-': Invalid packet
gpg: import from '-' failed: Invalid packet

sudo gpg --import ./Downloads/0xbb23c00c61fc752c.gpg 
gpg: key BB23C00C61FC752C: 3 signatures not checked due to missing keys
gpg: key BB23C00C61FC752C: public key "Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

sudo apt-key add ./Downloads/0xbb23c00c61fc752c.gpg 
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_get_keyblock failed: Value not found
gpg: [don't know]: invalid packet (ctb=2d)
gpg: /tmp/user/0/apt-key-gpghome.Py1sTBC5JT/pubring.gpg: copy to '/tmp/user/0/apt-key-gpghome.Py1sTBC5JT/pubring.gpg.tmp' failed: Invalid packet
gpg: error writing keyring '/tmp/user/0/apt-key-gpghome.Py1sTBC5JT/pubring.gpg': Invalid packet
gpg: error reading './Downloads/0xbb23c00c61fc752c.gpg': Invalid packet
gpg: import from './Downloads/0xbb23c00c61fc752c.gpg' failed: Invalid packet

I then tried simply moving the key manually sudo mv ./Downloads/0xbb23c00c61fc752c.gpg /etc/apt/trusted.gpg.d/ even before I found it recommended here:
https://bugs.debian.org/cgi-bin/bugrepo … bug=887706

Still, no effect. I investigated the gpg: [don't know]: invalid packet (ctb=2d) part, but the links I found:
https://github.com/yarnpkg/yarn/issues/2343
https://dev.gnupg.org/T997

didn't help me much. After reading this:
https://www.chrisnewland.com/solved-gpg … -ctb2d-103

I tried de-armoring the key before attempting to import it - to no avail. This advice to re-import pubring and secring doesn't work for me either:
https://biercoff.com/fix-for-gpg-dont-k … b2d-error/

I also tried reinstalling most apt- and gpg-related packages - to my surprise, it miraculously succeeded without any errors concerning being unable to verify the packages without the missing key. O_o But it still didn't solve the problem with updates.

I'm using a really old laptop with a really old HDD, so it crossed my mind that it might be the HDD failing and the keys (or some internals of apt or gpg?) got corrupt. But I haven't noticed any loss of data, so I'm not sure this is the case. I ran the extended tests in GSmartControl, MHDD and two other programs - all completed successfully.

What I haven't tried yet:
Switching to a new disk and reinstalling the system. Well, it almost always helps but seemed a bit excessive at first. However, after trying all of the above, I'm getting keen on doing so. It seems like a good opportunity to switch to SSD.

If you could please give me a hint on what am I doing wrong or what the culprit might be and how to fix it, I'll be grateful!

Thank you in advance!

golinux

Administrator

Registered: 2016-11-25

Posts: 3,143  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

Try this on the beta site:
https://beta.devuan.org/os/keyring

Don't know if it will help if you are on ascii.  Such esoteric stuff is beyond my pay-grade

---

Get answers - Help Devuan - Report a bug - Search packages

ralph.ronnquist

Administrator

From: Battery Point, Tasmania, AUS

Registered: 2016-11-30

Posts: 1,117  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

Yes, the Devuan key was changed a fair while ago, and the easy way out would be

# apt-get -y install devuan-keyring

That package drops a couple of files:

/etc/apt/trusted.gpg.d
/etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg
/etc/apt/trusted.gpg.d/devuan-keyring-2016-cdimage.gpg
/etc/apt/trusted.gpg.d/devuan-keyring-2017-archive.gpg
/usr/share/doc/devuan-keyring/README.md.gz
/usr/share/doc/devuan-keyring/changelog.gz
/usr/share/doc/devuan-keyring/copyright
/usr/share/keyrings/devuan-archive-keyring.gpg
/usr/share/keyrings/devuan-keyring.gpg

with the first three being for apt.

golinux

Administrator

Registered: 2016-11-25

Posts: 3,143  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

Unfortunately, I realized I had never put it on the live beta site so just did that.  I had only put it in the new human-workable site that's not online yet.

---

Get answers - Help Devuan - Report a bug - Search packages

kudlaty

Member

Registered: 2020-05-15

Posts: 3  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

Thank you for your replies!

I already had devuan-keyring installed (version 2017.10.03) so now I reinstalled it along with some other keyring-related packages - it didn't help, unfortunately.

Do you think it makes sense for me to ask e.g. the GPG devs about this issue with gpg: [don't know]: invalid packet (ctb=2d)? Or perhaps the apt maintainers? Or do you think it seems plausible that the HDD may be at fault here?

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,421  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

Did you see this one?  https://askubuntu.com/questions/1120843 … ket-ctb-2d

Check permissions on /etc/apt/trusted.gpg.d/*

kudlaty

Member

Registered: 2020-05-15

Posts: 3  

Re: Can't update system due to NO_PUBKEY, common solutions don't work

All files in /etc/apt/trusted.gpg.d/ are 644, except for backups which are 600. File /etc/apt/trusted.gpg is also 644. There is also a file /etc/apt/trustdb.gpg which is 600, but making it 644 doesn't help.

Anyway, I did what the person in the link did and now gpg shows a slightly different error:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0xBB23C00C61FC752C
Executing: /tmp/user/0/apt-key-gpghome.ywAq90L8rZ/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 0xBB23C00C61FC752C
gpg: [don't know]: invalid packet (ctb=00)
gpg: keydb_get_keyblock failed: Value not found
gpg: [don't know]: invalid packet (ctb=00)
gpg: /tmp/user/0/apt-key-gpghome.ywAq90L8rZ/pubring.gpg: copy to '/tmp/user/0/apt-key-gpghome.ywAq90L8rZ/pubring.gpg.tmp' failed: Invalid packet
gpg: error writing keyring '/tmp/user/0/apt-key-gpghome.ywAq90L8rZ/pubring.gpg': Invalid packet
gpg: error reading '[stream]': Invalid packet
gpg: Total number processed: 0

Searching for the new error code (ctb=00) I found this:
https://askubuntu.com/questions/719865/ … n-imported
which says:

APT uses all the keyrings at the same time, as you can see by examining your output (...)
Having one damaged keyring makes GPG sad and none of the keyrings (even the good ones) are trusted. As a result, none of the keys considered.

So I guess one of my keyring files must be damaged, but I don't know how to pinpoint which one is it. Any hints would be appreciated!
I tried movig out trusted.gog and all the files from trusted.gpg.d and then reimporting the keyring from the file I just moved out, or its older, backed up version - didn't work. When I try to import the devuan key once again, it seems its already in the keyring:

sudo gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 0xBB23C00C61FC752C
gpg: data source: http://162.213.33.8:11371
gpg: key BB23C00C61FC752C: number of dropped non-self-signatures: 3
gpg: pub  rsa4096/BB23C00C61FC752C 2017-09-04  Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
gpg: key BB23C00C61FC752C: "Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

So I guess it looks as if everything shoud work, but it doesn't.