[SOLVED] Good Signatrue, yet shows up GPG error : NO_PUBKEY DD4BA3917E23BF59 on `apt update`!?

[zenny]

Hi,

I am on debian 11 bullseye (this was upgraded from buster and was working). I am still on PVEv7, fyi. But when I tried to update, I encountered:

# apt update
Get:1 http://download.proxmox.com/debian/pve bullseye InRelease [2,768 B]
Hit:2 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:3 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:4 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Err:1 http://download.proxmox.com/debian/pve bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
Reading package lists... Done
W: GPG error: http://download.proxmox.com/debian/pve bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
E: The repository 'http://download.proxmox.com/debian/pve bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[Exit 100]

The key that I have shows as a good signature:

# sha512sum proxmox-release-bullseye.gpg
7fb03ec8a1675723d2853b84aa4fdb49a46a3bb72b9951361488bfd19b29aab0a789a4f8c7406e71a69aabbc727c936d3549731c4659ffa1a08f44db8fdcebfa  proxmox-release-bullseye.gpg

# curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | sq verify --signer-cert proxmox-release-bullseye.gpg
Good signature from DD4BA3917E23BF59
Architectures: amd64
Changelogs: https://metadata.cdn.proxmox.com/download/changelogs/pve/dists/bullseye/@CHANGEPATH@.changelog
Codename: bullseye
Components: pve-no-subscription pvetest
Date: Mon, 23 Sep 2024 14:57:57 +0000
Label: Proxmox Debian Repository
Origin: Proxmox
Suite: stable
MD5Sum:
 82cadc6908ec1c6c71fcc009c6d01d9f          2251965 pve-no-subscription/binary-amd64/Packages
 0de29fc3c7cbb943659ec5c9ea64c958           451465 pve-no-subscription/binary-amd64/Packages.gz
 c25ad9c387529b667c2805549111ed6b          2225721 pvetest/binary-amd64/Packages
 4d5dd99fb2a94016478aa28bbaac476a           451267 pvetest/binary-amd64/Packages.gz
SHA256:
 72005670b13d131718f792028bb48d4423233d44f21b8c66275f64b68c11053b          2251965 pve-no-subscription/binary-amd64/Packages
 8c1a1ae6e7fc9fc8ef5135baeb0b471383d24a2817ef25ca8b461f012a38e95b           451465 pve-no-subscription/binary-amd64/Packages.gz
 92e1564b84402b296e9d5c968111fc35cafed1d0067efd5b13ed34c2e35b6d62          2225721 pvetest/binary-amd64/Packages
 db8c4f23b54636dc92a075c629827f04e7266d3d53bffedafd7bfc841aaf9782           451267 pvetest/binary-amd64/Packages.gz
SHA512:
 8b2079a936bd8871ef4b88cefc80ae31998c68be02f7371a1b2d29c780d8c4f27ce9205fe08267cc448232782181692c09340aa3fb5fc370b447b6f2f6868dd5          2251965 pve-no-subscription/binary
-amd64/Packages
 27e02c5703bcc63bff6573758bda49f8f4fe88fc7056aace576cb5487255b50a3e52fbca9f80bf5bc91a3830d704d73bc406d3fa1ec1217080a1474fc0594817           451465 pve-no-subscription/binary
-amd64/Packages.gz
 ad77bdaabc09fd080a07545e05b307b91d7d9c61e5a5f3e0556fdef2ddadc66db8174e05120b941cac8d802fc1ddf08876893941c667c8a72cfc5a15b3cd8021          2225721 pvetest/binary-amd64/Packa
ges
 e0dc9a1c2466cda82a7bb7ddbfe94e0c16a35f028f783cf64d3d5eb8d3acb1eb0b4d477e1b1ad01941d08dad50ec9629fae790dfc79838a4694dd69bd158fbdf           451267 pvetest/binary-amd64/Packa
ges.gz
1 good signature.

I posted the same issue 3 years back (see https://forum.proxmox.com/threads/no_pubkey-dd4ba3917e23bf59-error.96281/) and it still seems unresolved. Any inputs appreciated.

Thanks and cheers,
/zenny

 

[sterzy]

Hey,

I looked through the old thread and this looks strange. Are you sure the key is installed in the correct location and has the appropriate permissions? Could you check what `ls -lah etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg` and `apt-key list` output? It seems somehow apt struggles to even find the key. Did you change something in regard to how your installation handles keys?

 

[zenny]

Hey,

I looked through the old thread and this looks strange. Are you sure the key is installed in the correct location and has the appropriate permissions? Could you check what `ls -lah etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg` and `apt-key list` output? It seems somehow apt struggles to even find the key. Did you change something in regard to how your installation handles keys?

Thanks for your reply.

The location of the gpg key and file permissions looks alright as follows:

# ls -lah /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
-rw-r--r-- 1 root root 1.2K Dec 14  2020 /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg

`apt-key list` reports valid unexpired keys as follows:

# apt-key list
...
/etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
---------------------------------------------------
pub   rsa4096 2022-11-27 [SC] [expires: 2032-11-24]
      F4E1 36C6 7CDC E41A E6DE  6FC8 1140 AF8F 639E 0C39
uid           [ unknown] Proxmox Bookworm Release Key <proxmox-release@proxmox.com>

/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
---------------------------------------------------
pub   rsa4096 2020-11-09 [SC] [expires: 2030-11-07]
      2813 9A2F 830B D684 78A1  A01F DD4B A391 7E23 BF59
uid           [ unknown] Proxmox Bullseye Release Key <proxmox-release@proxmox.com>

The setup is default, so the key handing is not changed at all.


Btw, I got the `bookworm` as I have to append `allow-insecure=yes allow-downgrade-to-insecure=yes`, because without that I could neither pull any zst templates. Once it is insecurely upgraded, I set removed the `allow-insecure=yes allow-downgrade-to-insecure=yes` again as there is no other way, fyi.

Still `apt update` reports:

# apt update
Hit:1 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:2 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Hit:3 https://deb.debian.org/debian-security bullseye-security InRelease
Get:4 http://download.proxmox.com/debian/pve bullseye InRelease [2,768 B]
Err:4 http://download.proxmox.com/debian/pve bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
Reading package lists... Done
W: GPG error: http://download.proxmox.com/debian/pve bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DD4BA3917E23BF59
E: The repository 'http://download.proxmox.com/debian/pve bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
[Exit 100][/CODE}

If I try to `apt upgrade`, I get the follwoing:

# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  proxmox-ve pve-kernel-helper
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

 

[sterzy]

Btw, I got the `bookworm` as I have to append `allow-insecure=yes allow-downgrade-to-insecure=yes`, because without that I could neither pull any zst templates. Once it is insecurely upgraded, I set removed the `allow-insecure=yes allow-downgrade-to-insecure=yes` again as there is no other way, fyi.

Interesting, did you also configure the bookworm repos? What does `apt policy` report in terms of configured repos?

`apt-key list` reports valid unexpired keys as follows:

Other than our and the regular Debian keys, is there anything else configured there that might be relevant?

 

[zenny]

Interesting, did you also configure the bookworm repos? What does `apt policy` report in terms of configured repos?

Other than our and the regular Debian keys, is there anything else configured there that might be relevant?

There is nothing else other than what was minimally required to run proxmox7 is installed as evident from the `apt policy` output. Nothing other than debian11 bullseye repos are activated.

# apt policy
Package files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://download.proxmox.com/debian/pve bullseye/pve-no-subscription amd64 Packages
     release o=Proxmox,a=stable,n=bullseye,l=Proxmox Debian Repository,c=pve-no-subscription,b=amd64
     origin download.proxmox.com
 500 https://deb.debian.org/debian-security bullseye-security/non-free amd64 Packages
     release v=11,o=Debian,a=oldstable-security,n=bullseye-security,l=Debian-Security,c=non-free,b=amd64
     origin deb.debian.org
 500 https://deb.debian.org/debian-security bullseye-security/main amd64 Packages
     release v=11,o=Debian,a=oldstable-security,n=bullseye-security,l=Debian-Security,c=main,b=amd64
     origin deb.debian.org
 500 http://cdn-fastly.deb.debian.org/debian bullseye-updates/main amd64 Packages
     release v=11-updates,o=Debian,a=oldstable-updates,n=bullseye-updates,l=Debian,c=main,b=amd64
     origin cdn-fastly.deb.debian.org
 500 http://cdn-fastly.deb.debian.org/debian bullseye/non-free amd64 Packages
     release v=11.11,o=Debian,a=oldstable,n=bullseye,l=Debian,c=non-free,b=amd64
     origin cdn-fastly.deb.debian.org
 500 http://cdn-fastly.deb.debian.org/debian bullseye/contrib amd64 Packages
     release v=11.11,o=Debian,a=oldstable,n=bullseye,l=Debian,c=contrib,b=amd64
     origin cdn-fastly.deb.debian.org
 500 http://cdn-fastly.deb.debian.org/debian bullseye/main amd64 Packages
     release v=11.11,o=Debian,a=oldstable,n=bullseye,l=Debian,c=main,b=amd64
     origin cdn-fastly.deb.debian.org
Pinned packages:

There is no conflicting reports from other repos whereas only proxmox keys reports the conflict.

 

[fabian]

is the trusted.gpg.d directory set to 755/rwxr-xr-x?

 

[zenny]

is the trusted.gpg.d directory set to 755/rwxr-xr-x?

Nope, it was by default 644 as other keys as evident from below:

# ls -lah /etc/apt/trusted.gpg.d/
total 92K
drwxr-xr-x 2 root root 4.0K Oct 31 10:04 ./
drwxr-xr-x 8 root root 4.0K Sep 24 2021 ../
-rw-r--r-- 1 root root 8.5K Mar 18 2023 debian-archive-bookworm-automatic.gpg
-rw-r--r-- 1 root root 8.6K Mar 18 2023 debian-archive-bookworm-security-automatic.gpg
-rw-r--r-- 1 root root 280 Mar 18 2023 debian-archive-bookworm-stable.gpg
-rw-r--r-- 1 root root 8.5K Mar 16 2021 debian-archive-bullseye-automatic.gpg
-rw-r--r-- 1 root root 8.6K Mar 16 2021 debian-archive-bullseye-security-automatic.gpg
-rw-r--r-- 1 root root 2.4K Mar 16 2021 debian-archive-bullseye-stable.gpg
-rw-r--r-- 1 root root 8.0K Sep 15 2021 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8.0K Sep 15 2021 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2.3K Sep 15 2021 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 1.2K Nov 27 2022 proxmox-release-bookworm.gpg
-rw-r--r-- 1 root root 1.2K Dec 14 2020 proxmox-release-bullseye.gpg


All other works with the 644 permission as you can see above.

About permission of trusted.gpg.d, it has 751 permission:

# ls -lah /etc/apt
total 36K
drwxr-xr-x 8 root root 4.0K Sep 24 2021 ./
drwxr-xr-x 95 root root 4.0K Oct 31 11:10 ../
drwxr-xr-x 2 root root 4.0K Oct 31 13:28 apt.conf.d/
drwxr-xr-x 2 root root 4.0K Apr 19 2021 auth.conf.d/
drwxr-xr-x 2 root root 4.0K Apr 19 2021 preferences.d/
-rw-r--r-- 1 root root 1.4K Sep 15 2021 sources.list
drwxr-xr-x 2 root root 4.0K Oct 31 10:05 sources.list.d/
drwxr-xr-x 2 root root 4.0K Oct 31 10:04 trusted.gpg.d/

 

[sterzy]

About permission of trusted.gpg.d, it has 751 permission:

That looks correct, those permissions are actually 755, you missed an “r” there (you can check with `stat /etc/apt/trusted.gpg.d`). The issue remains strange, though. I'm guessing a curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | gpgv --keyring /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg also works? This should be closer to what apt does internally, `sq` is part of sequoia which should be compatible with gpg, but just to be safe.

 

[zenny]

That looks correct, those permissions are actually 755, you missed an “r” there (you can check with `stat /etc/apt/trusted.gpg.d`). The issue remains strange, though. I'm guessing a curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | gpgv --keyring /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg also works? This should be closer to what apt does internally, `sq` is part of sequoia which should be compatible with gpg, but just to be safe.

To be honest, it has been working with 751. I shall try with 755 and get back to you (update didn't work with `drwxr-xr-x 2 root root 4.0K Oct 31 10:04 trusted.gpg.d/` either! Fyi, I have the following file system status:

# stat /etc/apt/trusted.gpg.d
File: /etc/apt/trusted.gpg.d
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 1937182 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-10-31 10:05:55.606105042 +0100
Modify: 2024-10-31 10:04:18.496967896 +0100
Change: 2024-10-31 10:04:18.496967896 +0100
Birth: 2021-09-24 23:23:00.354409280 +0200

The gpg key seemed to be good with `gpgv`:

# curl --silent http://download.proxmox.com/debian/dists/bullseye/InRelease | gpgv --keyring /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
gpgv: Signature made Mon 23 Sep 2024 04:58:01 PM CEST
gpgv: using RSA key 28139A2F830BD68478A1A01FDD4BA3917E23BF59
gpgv: Good signature from "Proxmox Bullseye Release Key <proxmox-release@proxmox.com>"

 

[zenny]

Thanks @fabian and @sterzy for your inputs.

However, after going through several issues similar to mine, I went through two interesting posts viz. https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html and https://unix.stackexchange.com/questions/713584/apt-key-wont-trust-the-gpg-certificate which categorically states to use `signed-by=key.gpg` to be specific because `apt-key` reportedly stores keys in separate location than `apt`.

I appended to `/etc/apt/sources.list.d/pve-install-repo.list` as follows:

~# cat /etc/apt/sources.list.d/pve-install-repo.list
deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg] http://download.proxmox.com/debian/pve bullseye pve-no-subscription

and the warning was gone:

# apt update
Hit:1 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian-security bullseye-security InRelease
Hit:3 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
Get:4 http://download.proxmox.com/debian/pve bullseye InRelease [2,768 B]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

I believe this could be helpful to others who are having similar issues. Thanks!