NO_PUBKEY DD4BA3917E23BF59 error

zenny · Sep 15, 2021

Hi,

I tried to install pve7 in vanilla debian11 as per this wiki (https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye). Everything appears satisfied:

Code:

# ls -la /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
-rw-r--r-- 1 root root 1187 Dec 14  2020 /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa  /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

Yet when `apt update`, the keys fails with NO_PUBKEY DD4BA3917E23BF59 error:

Code:

# apt update
Hit:1 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:2 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian-security bullseye-security InRelease
Get:4 http://download.proxmox.com/debian/pve bullseye InRelease [3,053 B]
Err:4 http://download.proxmox.com/debian/pve bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
Reading package lists... Done
W: GPG error: http://download.proxmox.com/debian/pve bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
E: The repository 'http://download.proxmox.com/debian/pve bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[Exit 100]

Has the keys changed?

fabian · Sep 15, 2021

that seems to be the right key (and sha512sum).. you can try running apt update with more verbosity, maybe something else shows up?

t.lamprecht · Sep 15, 2021

zenny said:
Has the keys changed?

No.

Can you please post your full sources.list entries and the output of a manual connection to our package CDN?

Bash:

head -n -0 /etc/apt/sources.list /etc/apt/sources.list.d/*.list
curl -iv http://download.proxmox.com/debian/pve/

zenny · Sep 15, 2021

t.lamprecht said:
head -n -0 /etc/apt/sources.list /etc/apt/sources.list.d/*.list

Code:

# head -n -0 /etc/apt/sources.list /etc/apt/sources.list.d/*.list
==> /etc/apt/sources.list <==

deb [arch=amd64] http://cdn-fastly.deb.debian.org/debian/ bullseye main contrib non-free
#deb-src [arch=amd64] http://cdn-fastly.deb.debian.org/debian/ bullseye main contrib non-free

deb [arch=amd64] http://cdn-fastly.deb.debian.org/debian/ bullseye-updates main contrib non-free
#deb-src [arch=amd64] http://cdn-fastly.deb.debian.org/debian/ bullseye-updates main contrib non-free

#deb [arch=amd64] http://security.debian.org/ bullseye/updates main contrib non-free
##deb-src [arch=amd64] http://security.debian.org/ bullseye/updates main contrib non-free

deb [arch=amd64] https://deb.debian.org/debian-security bullseye-security main contrib non-free
##deb-src https://deb.debian.org/debian-security bullseye-security main contrib non-free

==> /etc/apt/sources.list.d/pve-install-repo.list <==
deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription



# curl -iv http://download.proxmox.com/debian/pve/
*   Trying 2a01:7e0:0:424::249:80...
* Connected to download.proxmox.com (2a01:7e0:0:424::249) port 80 (#0)
> GET /debian/pve/ HTTP/1.1
> Host: download.proxmox.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx
Server: nginx
< Date: Wed, 15 Sep 2021 13:04:27 GMT
Date: Wed, 15 Sep 2021 13:04:27 GMT
< Content-Type: text/html
Content-Type: text/html
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Connection: keep-alive
Connection: keep-alive

<
<html>
<head><title>Index of /debian/pve/</title></head>
<body bgcolor="white">
<h1>Index of /debian/pve/</h1><hr><pre><a href="../">../</a>
<a href="dists/">dists/</a>                                             24-Jun-2021 11:55                   -
</pre><hr></body>
</html>
* Connection #0 to host download.proxmox.com left intact

'apt-key --list' shows:

Code:

/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
---------------------------------------------------
pub   rsa4096 2020-11-09 [SC] [expires: 2030-11-07]
      2813 9A2F 830B D684 78A1  A01F DD4B A391 7E23 BF59
uid           [ unknown] Proxmox Bullseye Release Key <proxmox-release@proxmox.com>

zenny · Sep 15, 2021

zenny said:

Hi,

I tried to install pve7 in vanilla debian11 as per this wiki (https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye). Everything appears satisfied:

Code:

# ls -la /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
-rw-r--r-- 1 root root 1187 Dec 14  2020 /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

# sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa  /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

Yet when `apt update`, the keys fails with NO_PUBKEY DD4BA3917E23BF59 error:

Code:

# apt update
Hit:1 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:2 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian-security bullseye-security InRelease
Get:4 http://download.proxmox.com/debian/pve bullseye InRelease [3,053 B]
Err:4 http://download.proxmox.com/debian/pve bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
Reading package lists... Done
W: GPG error: http://download.proxmox.com/debian/pve bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
E: The repository 'http://download.proxmox.com/debian/pve bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[Exit 100]

Has the keys c

fabian said:
that seems to be the right key (and sha512sum).. you can try running apt update with more verbosity, maybe something else shows up?

With apt --help , I can only see these options, no other flags to make more verbose:

Code:

apt --help
  list - list packages based on package names
  search - search in package descriptions
  show - show package details
  install - install packages
  reinstall - reinstall packages
  remove - remove packages
  autoremove - Remove automatically all unused packages
  update - update list of available packages
  upgrade - upgrade the system by installing/upgrading packages
  full-upgrade - upgrade the system by removing/installing/upgrading packages
  edit-sources - edit the source information file
  satisfy - satisfy dependency strings

Or did I miss something?

fabian · Sep 16, 2021

zenny said:

With apt --help , I can only see these options, no other flags to make more verbose:

Code:

apt --help
  list - list packages based on package names
  search - search in package descriptions
  show - show package details
  install - install packages
  reinstall - reinstall packages
  remove - remove packages
  autoremove - Remove automatically all unused packages
  update - update list of available packages
  upgrade - upgrade the system by installing/upgrading packages
  full-upgrade - upgrade the system by removing/installing/upgrading packages
  edit-sources - edit the source information file
  satisfy - satisfy dependency strings

Or did I miss something?

yeah, all the debug stuff is hidden via options (see man apt.conf / /usr/share/doc/apt/examples/configure-index). you can pass those options to apt with -o. maybe running apt update with strace already gives a clue where it takes a wrong turn?

nada · Sep 22, 2021

1. you may also check available GPG key list at http://download.proxmox.com/debian/
2. download relevant version GPG key to your host & check it
3. update

example
# wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
# sha512sum /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
# apt-get update

zenny · Sep 23, 2021

nada said:
1. you may also check available GPG key list at http://download.proxmox.com/debian/
2. download relevant version GPG key to your host & check it
3. update

example
# wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
# sha512sum /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
# apt-get update

That is exactly what I did in the OT above for debian 11 bullseye, but no go.

And I do not see any reason to download the v6 key in bullseye as in the example. ;-)

tom · Sep 23, 2021

I just did a fresh install, following exactly https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye

No issues for me, so something must be different on your side.

zenny · Sep 24, 2021

tom said:
I just did a fresh install, following exactly https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye

No issues for me, so something must be different on your side.

There is nothing wrong because I have no control over the GPG keys.

Nevertheless, this got solved by appending '[trusted=true]' to the '/etc/apt/sources.list.d/pve-install-repo.list' to look like:

Code:

deb [arch=amd64 trusted=true] http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Use '[allow-insecure=yes allow-downgrade-to-insecure=yes] in case '[trusted=true]" does NOT work.

Hope this is helpful to someone in the same shoes.

t.lamprecht · Sep 24, 2021

zenny said:
There is nothing wrong because I have no control over the GPG keys.

There sure is nothing wrong with the HSM signing the release files nor the public keys, that's true. We have tens of thousands of servers connecting to the apt repo daily, if there was anything wrong with signage we'd know

FWIW, you can recreate the signature verification steps with independent tooling, e.q., using the nice CLI tool sq from the Sequoia project.

Code:

$ apt install sq
$ curl --silent -O https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg
$ sha512sum proxmox-release-bullseye.gpg      
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa  proxmox-release-bullseye.gpg

$ curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | sq verify --signer-cert proxmox-release-bullseye.gpg
Good signature from DD4BA3917E23BF59                                        # <- shows that this works out OK
Architectures: amd64
Codename: bullseye
Components: pve-no-subscription pvetest
Date: Wed, 22 Sep 2021 12:39:31 +0000
Label: Proxmox Debian Repository
Origin: Proxmox
Suite: stable
MD5Sum:
 78374dbb602f03bb1a1a3ace666af258           445978 pve-no-subscription/binary-amd64/Packages
 e09541b7f3094b43c88bbc5652e269cf           110439 pve-no-subscription/binary-amd64/Packages.gz
 cefb660b6e552ca1abdbc42b2ab853ef           453204 pvetest/binary-amd64/Packages
 ec5d0ba034dc0169d90befd03de3c5ce           113048 pvetest/binary-amd64/Packages.gz
SHA1:
 bcce2ad7d9405c335948bbcb2ec537418a65ddeb           445978 pve-no-subscription/binary-amd64/Packages
 3557fa5a2783cc7e48cbaa52cb3d2450925aa342           110439 pve-no-subscription/binary-amd64/Packages.gz
 2be3ee0c67a1c5b45a7892b01ad217034fd2dc09           453204 pvetest/binary-amd64/Packages
 ec94ab417f57ad7e0b9531683c5e3b2054f96a1b           113048 pvetest/binary-amd64/Packages.gz
SHA256:
 0268d67ae31120be6d9fe2d0e4af753de0f6a24d61c57752493d53af90efbd44           445978 pve-no-subscription/binary-amd64/Packages
 4c6a2a3a0cae8054e3166da14885c4e9d6c4415517cbd9a4229ebf4843816d83           110439 pve-no-subscription/binary-amd64/Packages.gz
 a7f7b91b29e8102bf5b2bf9e1d4c44f9d11ad553cd5ec69aef27d9701b8f77e4           453204 pvetest/binary-amd64/Packages
 c0c54f22c09b52afa45117d6d5be3f41ac59d733a6a975a3f5246410bc6afbee           113048 pvetest/binary-amd64/Packages.gz
SHA512:
 16ab0878a681c0e37da4c912edfb12a159e01c2adb48f2f09dc0aef73e9febd6579dd10b9370114f0126b80f284b17382ede662a30656ebe1b86356ba5e89029           445978 pve-no-subscription/binary-amd64/Packages
 fc7f3e6cfae27be629e89f7b3cb7fc694ef7bfdf5cc4b71fa01f88cf4840805b15526c8a940112c99e572d0908b82461f6521a186e9136c1e4ee0e7b2db9cdaa           110439 pve-no-subscription/binary-amd64/Packages.gz
 624f40ac47a5995f39d00dda54c1e8739e142cb5f4824720f0e9328a30b6cce0d366cbc850a252027c73eb932a162ad81196573ba3a40e7ec10716be5e496d19           453204 pvetest/binary-amd64/Packages
 29801e314016596d4a772edb4049992bec10b79d04cd9564ac6512518fdf2b79f7769fa345b53af67ade351d1dc18021b2a89fe5edf608c2e535692b0438e11e           113048 pvetest/binary-amd64/Packages.gz

zenny said:
Nevertheless, this got solved by appending '[trusted=true]' to the '/etc/apt/sources.list.d/pve-install-repo.list' to look like:

Code:

deb [arch=amd64 trusted=true] http://download.proxmox.com/debian/pve bullseye pve-no-subscription

Use '[allow-insecure=yes allow-downgrade-to-insecure=yes] in case '[trusted=true]" does NOT work.

Please do not do that, you're opening yourself up to easy MITM as the trust-checks get all disabled, this is dangerous!

Rather check the whole network connection stack, it could be that some proxy meddles with (some) connections, the simple curl check you did previously show that DNS resolves OK, at least with the curl user-agent and at that time.

Can you post the output of fetching the InRelease file with a user-agent like apt? IOW, execute the following on PVE node and post the output here:

Bash:

curl --silent --user-agent 'Debian APT-HTTP/1.3 (2.2.4)' http://download.proxmox.com/debian/dists/bullseye/InRelease

zenny · Sep 24, 2021

t.lamprecht said:

There sure is nothing wrong with the HSM signing the release files nor the public keys, that's true. We have tens of thousands of servers connecting to the apt repo daily, if there was anything wrong with signage we'd know

FWIW, you can recreate the signature verification steps with independent tooling, e.q., using the nice CLI tool sq from the Sequoia project.

Code:

$ apt install sq
$ curl --silent -O https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg
$ sha512sum proxmox-release-bullseye.gpg   
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa  proxmox-release-bullseye.gpg

$ curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | sq verify --signer-cert proxmox-release-bullseye.gpg
Good signature from DD4BA3917E23BF59                                        # <- shows that this works out OK
Architectures: amd64
Codename: bullseye
Components: pve-no-subscription pvetest
Date: Wed, 22 Sep 2021 12:39:31 +0000
Label: Proxmox Debian Repository
Origin: Proxmox
Suite: stable
MD5Sum:
 78374dbb602f03bb1a1a3ace666af258           445978 pve-no-subscription/binary-amd64/Packages
 e09541b7f3094b43c88bbc5652e269cf           110439 pve-no-subscription/binary-amd64/Packages.gz
 cefb660b6e552ca1abdbc42b2ab853ef           453204 pvetest/binary-amd64/Packages
 ec5d0ba034dc0169d90befd03de3c5ce           113048 pvetest/binary-amd64/Packages.gz
SHA1:
 bcce2ad7d9405c335948bbcb2ec537418a65ddeb           445978 pve-no-subscription/binary-amd64/Packages
 3557fa5a2783cc7e48cbaa52cb3d2450925aa342           110439 pve-no-subscription/binary-amd64/Packages.gz
 2be3ee0c67a1c5b45a7892b01ad217034fd2dc09           453204 pvetest/binary-amd64/Packages
 ec94ab417f57ad7e0b9531683c5e3b2054f96a1b           113048 pvetest/binary-amd64/Packages.gz
SHA256:
 0268d67ae31120be6d9fe2d0e4af753de0f6a24d61c57752493d53af90efbd44           445978 pve-no-subscription/binary-amd64/Packages
 4c6a2a3a0cae8054e3166da14885c4e9d6c4415517cbd9a4229ebf4843816d83           110439 pve-no-subscription/binary-amd64/Packages.gz
 a7f7b91b29e8102bf5b2bf9e1d4c44f9d11ad553cd5ec69aef27d9701b8f77e4           453204 pvetest/binary-amd64/Packages
 c0c54f22c09b52afa45117d6d5be3f41ac59d733a6a975a3f5246410bc6afbee           113048 pvetest/binary-amd64/Packages.gz
SHA512:
 16ab0878a681c0e37da4c912edfb12a159e01c2adb48f2f09dc0aef73e9febd6579dd10b9370114f0126b80f284b17382ede662a30656ebe1b86356ba5e89029           445978 pve-no-subscription/binary-amd64/Packages
 fc7f3e6cfae27be629e89f7b3cb7fc694ef7bfdf5cc4b71fa01f88cf4840805b15526c8a940112c99e572d0908b82461f6521a186e9136c1e4ee0e7b2db9cdaa           110439 pve-no-subscription/binary-amd64/Packages.gz
 624f40ac47a5995f39d00dda54c1e8739e142cb5f4824720f0e9328a30b6cce0d366cbc850a252027c73eb932a162ad81196573ba3a40e7ec10716be5e496d19           453204 pvetest/binary-amd64/Packages
 29801e314016596d4a772edb4049992bec10b79d04cd9564ac6512518fdf2b79f7769fa345b53af67ade351d1dc18021b2a89fe5edf608c2e535692b0438e11e           113048 pvetest/binary-amd64/Packages.gz

Please do not do that, you're opening yourself up to easy MITM as the trust-checks get all disabled, this is dangerous!

Rather check the whole network connection stack, it could be that some proxy meddles with (some) connections, the simple curl check you did previously show that DNS resolves OK, at least with the curl user-agent and at that time.

Can you post the output of fetching the InRelease file with a user-agent like apt? IOW, execute the following on PVE node and post the output here:

Bash:

curl --silent --user-agent 'Debian APT-HTTP/1.3 (2.2.4)' http://download.proxmox.com/debian/dists/bullseye/InRelease

Thanks for a warning. Please find below the output you asked for.

Code:

# curl --silent --user-agent 'Debian APT-HTTP/1.3 (2.2.4)' http://download.proxmox.com/debian/dists/bullseye/InRelease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Architectures: amd64
Codename: bullseye
Components: pve-no-subscription pvetest
Date: Wed, 22 Sep 2021 12:39:31 +0000
Label: Proxmox Debian Repository
Origin: Proxmox
Suite: stable
MD5Sum:
 78374dbb602f03bb1a1a3ace666af258           445978 pve-no-subscription/binary-amd64/Packages
 e09541b7f3094b43c88bbc5652e269cf           110439 pve-no-subscription/binary-amd64/Packages.gz
 cefb660b6e552ca1abdbc42b2ab853ef           453204 pvetest/binary-amd64/Packages
 ec5d0ba034dc0169d90befd03de3c5ce           113048 pvetest/binary-amd64/Packages.gz
SHA1:
 bcce2ad7d9405c335948bbcb2ec537418a65ddeb           445978 pve-no-subscription/binary-amd64/Packages
 3557fa5a2783cc7e48cbaa52cb3d2450925aa342           110439 pve-no-subscription/binary-amd64/Packages.gz
 2be3ee0c67a1c5b45a7892b01ad217034fd2dc09           453204 pvetest/binary-amd64/Packages
 ec94ab417f57ad7e0b9531683c5e3b2054f96a1b           113048 pvetest/binary-amd64/Packages.gz
SHA256:
 0268d67ae31120be6d9fe2d0e4af753de0f6a24d61c57752493d53af90efbd44           445978 pve-no-subscription/binary-amd64/Packages
 4c6a2a3a0cae8054e3166da14885c4e9d6c4415517cbd9a4229ebf4843816d83           110439 pve-no-subscription/binary-amd64/Packages.gz
 a7f7b91b29e8102bf5b2bf9e1d4c44f9d11ad553cd5ec69aef27d9701b8f77e4           453204 pvetest/binary-amd64/Packages
 c0c54f22c09b52afa45117d6d5be3f41ac59d733a6a975a3f5246410bc6afbee           113048 pvetest/binary-amd64/Packages.gz
SHA512:
 16ab0878a681c0e37da4c912edfb12a159e01c2adb48f2f09dc0aef73e9febd6579dd10b9370114f0126b80f284b17382ede662a30656ebe1b86356ba5e89029           445978 pve-no-subscription/binary-amd64/Packages
 fc7f3e6cfae27be629e89f7b3cb7fc694ef7bfdf5cc4b71fa01f88cf4840805b15526c8a940112c99e572d0908b82461f6521a186e9136c1e4ee0e7b2db9cdaa           110439 pve-no-subscription/binary-amd64/Packages.gz
 624f40ac47a5995f39d00dda54c1e8739e142cb5f4824720f0e9328a30b6cce0d366cbc850a252027c73eb932a162ad81196573ba3a40e7ec10716be5e496d19           453204 pvetest/binary-amd64/Packages
 29801e314016596d4a772edb4049992bec10b79d04cd9564ac6512518fdf2b79f7769fa345b53af67ade351d1dc18021b2a89fe5edf608c2e535692b0438e11e           113048 pvetest/binary-amd64/Packages.gz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKBOaL4ML1oR4oaAf3UujkX4jv1kFAmFLJBkACgkQ3UujkX4j
v1mevBAAkp22uYu5PS5liy6ba32qtxp3y3401KTdsu9lP+b1xc54qMukcHqj4isn
taCsp9MqIWMN2CdWisHgcDAo3ZdF2b03qd3d8IrzHfy9sAb8TYPFj2jH6mkHzJ6s
tIXHi2ZYw8SPY+YcGdIS1iANyN5WMZLtYCgPZ2DUEzzs0L/ca14BZQZ+znyn868o
PT1l59U+WINJzKuWr4IFGSdwxHy5ZFoqigkHT+xFa4VfKD4vs1Vvw6/Pame6e22s
/PkIcXV+PYvYKZMZzMMJZmp47XZ59N+wfMXsBLiIxz8VyE08V7KLm2xg4upCtvMt
VAAYOdGQ/Lx1SFdrHbDSWVZ1sAVT3GIjXOrUAE8qm8/MKnofliGE+WcP2JfOgGie
OQbzEHv5zOs9o4QAU6/+sq86uHJySGG7p6wl6HL9tZFZ8y8wmeDJq332plVk/AMH
yRaNfm9WMdIFQWE3V7kR8C48YB5OjfLqxD3KoxRJDBg1OeZZbCbf025FBNBRHKaG
NNSKHHST9J2ernO1sG9PCT2c0P6Dj8qmiCbx4Lk/qVFzSizPr2pQeozizXRW5h/V
FL09T/NOfekfSJ412e1xl8VY8qnKKUoBs1pL5Vr0AA5azWT1ZbVJvylL6hR07gEQ
7+03xboJ2Gw17KJxj6TsXqsez0CntVgtGPB16sIiT1Dsq0IaBgQ=
=PNOQ
-----END PGP SIGNATURE-----

I reran with sq as you suggested and the outcome is:

Code:

# curl --silent -O https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg

# sha512sum proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aab
bc727c936d3549731c4659ffa1a08f44db8fdcebfa  proxmox-release-bullseye.gpg

# curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | sq verify --signer-cert proxmox-release-bullseye.gpg
Good signature from DD4BA3917E23BF59
Architectures: amd64
Codename: bullseye
Components: pve-no-subscription pvetest
Date: Wed, 22 Sep 2021 12:39:31 +0000
Label: Proxmox Debian Repository
Origin: Proxmox
Suite: stable
MD5Sum:
 78374dbb602f03bb1a1a3ace666af258           445978 pve-no-subscription/binary-amd64/Packages
 e09541b7f3094b43c88bbc5652e269cf           110439 pve-no-subscription/binary-amd64/Packages.gz
 cefb660b6e552ca1abdbc42b2ab853ef           453204 pvetest/binary-amd64/Packages
 ec5d0ba034dc0169d90befd03de3c5ce           113048 pvetest/binary-amd64/Packages.gz
SHA1:
 bcce2ad7d9405c335948bbcb2ec537418a65ddeb           445978 pve-no-subscription/binary-amd64/Packages
 3557fa5a2783cc7e48cbaa52cb3d2450925aa342           110439 pve-no-subscription/binary-amd64/Packages.gz
 2be3ee0c67a1c5b45a7892b01ad217034fd2dc09           453204 pvetest/binary-amd64/Packages
 ec94ab417f57ad7e0b9531683c5e3b2054f96a1b           113048 pvetest/binary-amd64/Packages.gz
SHA256:
 0268d67ae31120be6d9fe2d0e4af753de0f6a24d61c57752493d53af90efbd44           445978 pve-no-subscription/binary-amd64/Packages
 4c6a2a3a0cae8054e3166da14885c4e9d6c4415517cbd9a4229ebf4843816d83           110439 pve-no-subscription/binary-amd64/Packages.gz
 a7f7b91b29e8102bf5b2bf9e1d4c44f9d11ad553cd5ec69aef27d9701b8f77e4           453204 pvetest/binary-amd64/Packages
 c0c54f22c09b52afa45117d6d5be3f41ac59d733a6a975a3f5246410bc6afbee           113048 pvetest/binary-amd64/Packages.gz
SHA512:
 16ab0878a681c0e37da4c912edfb12a159e01c2adb48f2f09dc0aef73e9febd6579dd10b9370114f0126b80f284b17382ede662a30656ebe1b86356ba5e89029           445978 pve-no-subscription/binary-amd64/Packages
 fc7f3e6cfae27be629e89f7b3cb7fc694ef7bfdf5cc4b71fa01f88cf4840805b15526c8a940112c99e572d0908b82461f6521a186e9136c1e4ee0e7b2db9cdaa           110439 pve-no-subscription/binary-amd64/Packages.gz
 624f40ac47a5995f39d00dda54c1e8739e142cb5f4824720f0e9328a30b6cce0d366cbc850a252027c73eb932a162ad81196573ba3a40e7ec10716be5e496d19           453204 pvetest/binary-amd64/Packages
 29801e314016596d4a772edb4049992bec10b79d04cd9564ac6512518fdf2b79f7769fa345b53af67ade351d1dc18021b2a89fe5edf608c2e535692b0438e11e           113048 pvetest/binary-amd64/Packages.gz
1 good signature.

Despite all of the above, I am back to square one again after omitting [trusted=true] flag:

Code:

# cp proxmox-release-bullseye.gpg /etc/apt/trusted.gpg.d/

# apt update
Hit:1 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:2 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:3 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Get:4 http://download.proxmox.com/debian/pve bullseye InRelease [3,053 B]
Err:4 http://download.proxmox.com/debian/pve bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
Reading package lists... Done
W: GPG error: http://download.proxmox.com/debian/pve bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
E: The repository 'http://download.proxmox.com/debian/pve bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[Exit 100]

zenny · Sep 30, 2021

Bump!

confused_15 · Feb 11, 2022

I always hate to get to the bottom of a forum thread only to find it unsolved.

I had a similar issue and found that the proxmox-release-bullseye.gpg file that was created in the previous step needed additional permissions.

root@debian:/etc/apt/trusted.gpg.d# ls -lah
total 80K
drwxr-xr-x 2 root root 4.0K Feb 11 00:36 .
drwxr-xr-x 7 root root 4.0K Sep 30 10:07 ..
-rw-r--r-- 1 root root 8.5K Mar 16 2021 debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8.6K Mar 16 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2.4K Mar 16 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8.0K Mar 16 2021 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8.0K Mar 16 2021 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K Mar 16 2021 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7.3K Mar 16 2021 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7.3K Mar 16 2021 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K Mar 16 2021 debian-archive-stretch-stable.gpg
-rw------- 1 root root 1.2K Dec 14 2020 proxmox-release-bullseye.gpg

After changing them with "chmod go+r /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg"

root@debian:/etc/apt/trusted.gpg.d# ls -lah
total 80K
drwxr-xr-x 2 root root 4.0K Feb 11 00:36 .
drwxr-xr-x 7 root root 4.0K Sep 30 10:07 ..
-rw-r--r-- 1 root root 8.5K Mar 16 2021 debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8.6K Mar 16 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2.4K Mar 16 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8.0K Mar 16 2021 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8.0K Mar 16 2021 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K Mar 16 2021 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 7.3K Mar 16 2021 debian-archive-stretch-automatic.gpg
-rw-r--r-- 1 root root 7.3K Mar 16 2021 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K Mar 16 2021 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 1.2K Dec 14 2020 proxmox-release-bullseye.gpg

All was right in the world again and the install proceeded as expected.

t.lamprecht · Feb 11, 2022

confused_15 said:
I had a similar issue and found that the proxmox-release-bullseye.gpg file that was created in the previous step needed additional permissions.

The first post shows that the permission were OK in the OP's case though...

zenny said:
# ls -la /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
-rw-r--r-- 1 root root 1187 Dec 14 2020 /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

confused_15 · Feb 11, 2022

Hence why I started with "I had a similar issue" and not the same one.
I was just trying to help other lost ppl like me that may have had a similar issue and happened to stumble across this thread as I did.

I guess the real solution to the issue I had is to add this step in the wiki for installing proxmox on Debian 11 here:

https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_11_Bullseye

t.lamprecht · Feb 11, 2022

I mean it won't hurt to add a hint, but by default the permissions are correct, just wondering how your system managed to have it with 0600, did you set a restrictive umask?

confused_15 · Feb 11, 2022

Good catch.

root@debian:/# umask
0077

This image of Debian was hardened to the CIS benchmarks.
I think we did both Levels 1 and 2, and I'm pretty sure that was one of the hardening steps (It was like 6 months ago so my memory isn't 100%).

Another issue I identified later after making these posts is that this is Debian 10 not 11.
I switched over to the wiki for Debian 10, and it actually does have this as an optional step.

After that the install finished without a hitch, go figure

Sorry if that last post came off a little harsh at the time I was clearly in desperate need of some coffee.

mathx · Feb 9, 2023

Where to get and how to add the proxmox enterprise and no-sub gpg keys?

t.lamprecht · Feb 9, 2023

mathx said:
Where to get and how to add the proxmox enterprise and no-sub gpg keys?

See https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#repos_secure_apt

NO_PUBKEY DD4BA3917E23BF59 error

Active Member

Proxmox Staff Member

Proxmox Staff Member

Active Member

Active Member

Proxmox Staff Member

Member

Active Member

Proxmox Staff Member

Active Member

Proxmox Staff Member

Active Member

Active Member

New Member

Proxmox Staff Member

New Member

Proxmox Staff Member

New Member

Renowned Member

Proxmox Staff Member