Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY

Question

I have a catch 22 trying to:

   # apt-get update
   [... good lines omitted]
   W: GPG error: http://backports.debian.org lenny-backports Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
   W: GPG error: http://http.us.debian.org stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
   W: GPG error: http://ftp.us.debian.org lenny Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA

At http://wiki.debian.org/SecureApt#Other_problems it notes the NO_PUBKEY issue "means the archive has begun to be signed by a new key, which your system does not know about ... and once the system is fed the new key (by upgrading the debian-archive-keyring package), the warning will go away"

OK, but perversely:

   apt-get install debian-archive-keyring 

gives me:

   WARNING: The following packages cannot be authenticated!
       debian-archive-keyring

and the solution for that is to do an apt-get update

Can anyone break the cycle for me?

--

Note: my /etc/apt/sources.list is:

    deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
    deb http://http.us.debian.org/debian stable main contrib non-free
    deb http://security.debian.org lenny/updates main contrib non-free
    deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free

Answer 1

Can anyone break the cycle for me?

You are basically just experiencing the standard bootstrapping problem for public key cryptography.

There are many places you can download the public keys for the various archives, but frequently they are not provided over HTTPS, and any checksum files are delivered from the same location.

That wiki link you provided links off to https://ftp-master.debian.org/keys.html which has provides a copy of the keys you can download over SSL. The problem of course is that the cert for ftp-master.debian.org is signed by ca.debian.org, which is not distributed with the most common web browsers.

You basically just have to find a way to get a copy of debian-archive-keyring, or the current key from system that you trust, and the install it onto your system. If you are really paranoid, you might have to grab a copy of the archive, and have someone else grab a copy from another mirror on a different computer over a different network. Then compare the checksums.

If you are not extremely paranoid, or in a high security environment, then just let apt-get install debian-archive-keyring install, and ignore the warning.

It would take a lot of effort for someone to setup a MITM between you and the some random http.us.debian.org mirror. Once they did that, they would have to build their own custom debian-archive-keyring package including their evil key in addition to the standard keys. Then they would have to rebuild some packages to force you to install something evil onto your system. The effort involved would not be trivial.

Debian generally does a pretty good job adding keys that will be used to sign the packages in the future to the debian-archive-keyring package. That is one package, that you really want to keep up-to-date. That way, you will key the keys installed before they are used for signing things, and you won't have this problem in the future.

Answer 2

Your problem is that you didn't install debian-keyring as well. Simply run the following:

apt-get install debian-keyring
apt-get install debian-archive-keyring

That's it.

Answer 3

Debian - Apt-get : NO_PUBKEY / GPG error

In computers based on a Debian operating system that uses Linux kernel, error messages may come up like 'NO_PUBKEY'.This happens while using the Apt-Get command line tool and this error is associated with the tool's update feature. The new feature in the Apt-Get package management tool guarantees the authenticity of the server before updating the Debian OS. That's why the error 'NO_PUBKEY' pops up. This problem can be solved by keying in the appropriate commands.

Simply type the following commands, taking care to replace the number below with that of the key that was displayed in the error message:

gpg --keyserver pgpkeys.mit.edu --recv-key  AED4B06F473041FA      
gpg -a --export AED4B06F473041FA | sudo apt-key add -

Answer 4

Two things:

1. Your sources.list file may be incorrect; are you sure those are the right lines for those repos?

2. You'll have to manually locate the Release.gpg files on those repos and update the keyring:

wget -q http://backports.debian.org/debian-backports/dists/squeeze-backports/Release.gpg -O -|apt-key add -

You might be playing with fire by mixing lenny with the stable repo

Answer 5

apt-key adv --keyserver subkeys.pgp.net --recv-keys YOUR_KEY

Answer 6

In case someone run on this one trying to build a Dockerfile based on stretch :

# debian stretch moved to archive.debian.org on 2023-03-27
RUN export DEBIAN_FRONTEND="noninteractive" && \
    echo "deb http://archive.debian.org/debian/ stretch main non-free contrib" > /etc/apt/sources.list && \
    echo "deb http://archive.debian.org/debian-security/ stretch/updates main non-free contrib" >> /etc/apt/sources.list && \
    apt-get update -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true -o APT::Get::AllowUnauthenticated=true && \
    apt-get install -y --no-install-recommends -o APT::Get::AllowUnauthenticated=true debian-archive-keyring

Answer 7

The right thing to do is to not worry about getting the key to your machine securely, but being able to accurately check your trust path to the key once you have it on your machine. This means that you want to find a chain of signatures where your gpg key was used to sign someone's key that was used to sign someone's key... so that you eventually find someone that signed the archive key.

This would obviously be tedious if you were to try to do this by hand if you are more than a couple of steps away from the key. wotsap is a package which will help you discover paths from your key to the keys of the people that have directly signed the archive key.

This all is predicated on you having a gpg key and participating in gpg keysigning, which is absolutely essential if you want to really do this correctly.

Answer 8

If you got no key because your debian-archive-keyring is too old, you can securely upgrade it by adding an earlier release of Debian to /etc/apt/sources.list, and installing a new keyring signed by the old key. You might need to do this if your install was Debian "testing".

I had an install of Debian 10 "buster" from 2018, when it was "testing", and before it released in 2019. I needed to upgrade it in 2022, but I was missing buster's release key. I followed these steps.

1. Run apt-key list to look for keys. I had the key for Debian 9 "stretch", the next key before "buster" in Debian's Archive Signing Keys.

2. Edit /etc/apt/sources.list to add stretch. (I had lines for stretch, so I uncommented them. It would also work to copy buster's lines and change buster to stretch.)

3. Run apt update to scan stretch's sources.

4. Run apt-get install debian-archive-keyring/stretch to install stretch's keyring. It said that my package "will be DOWNGRADED". I said "Y", downgrading it from 2017.7 to 2017.5+deb9u1, because 2017.5+deb9u1 has buster's key.

5. Run apt update to scan buster's sources. It said that buster "changed its Version value from '' to '10.13'" and "its 'Suite' value from 'testing' to 'oldstable'". I said "Y".

6. Run apt upgrade as usual.