GPG error: https://apt.releases.hashicorp.com bionic InRelease: The following signatures couldn't be verified because the public key is not available

Question

I ran this command to update packages in my ubuntu VM.

sudo apt-get update

It gave me the below error at the end.

Err:5 https://apt.releases.hashicorp.com bionic InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXXXXXXXXX
Fetched 12.0 kB in 1s (10.4 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.releases.hashicorp.com bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXXXXXXXXX
W: Failed to fetch https://apt.releases.hashicorp.com/dists/bionic/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY XXXXXXXXXXXXXXXX
W: Some index files failed to download. They have been ignored, or old ones used instead.

What does this mean and how can I fix it?

score 62 · Accepted Answer · answered Jan 27 '23 at 06:21

This means that the gpg key for this HashiCorp repository is not available in the apt-key database.

As the fix, it can be re-added with the below commands.

# GPG is required for the package signing key
sudo apt install gpg

# Download the signing key to a new keyring
wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg

# Verify the key's fingerprint
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

# The fingerprint must match 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701, which can also be verified at https://www.hashicorp.com/security under "Linux Package Checksum Verification".

# Add the HashiCorp repo
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

# apt update successfully
sudo apt update

Note that these commands were taken from Hashicorp's Official Packaging Guide.

the changes are correct for /etc/apt/sources.list.d/hashicorp.list, however I also had a legacy list file /etc/apt/sources.list.d/terraform.list which needing deleting as per https://github.com/hashicorp/terraform/issues/30911 — rgbhex00, Feb 08 '23 at 19:56
NO_PUBKEY AA16FCBCA621E701 chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg — Alex, Mar 22 '23 at 10:26

score 0 · Answer 2 · answered May 19 '23 at 03:36

If you are using a distribution different from the supported ones, you will need some extra work. This is because lsb_release -cs prints the code name of your Linux distribution.

For example, I'm using Linux Mint 20.1 code name Ulyssa:

jm@lenovo:~$ lsb_release -cs
ulyssa

So, the 4th step in the accepted answer will produce:

jm@lenovo:~$ cat /etc/apt/sources.list.d/hashicorp.list 
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com ulyssa main

I had to change ulyssa to focal (this is because Mint 20.1 Ulyssa is based on Ubuntu 20.04 Focal Fossa). To change it you can do:

sudo nano /etc/apt/sources.list.d/hashicorp.list

(Edit the string, then Ctlr+O, then Enter, then Ctrl+X)

GPG error: https://apt.releases.hashicorp.com bionic InRelease: The following signatures couldn't be verified because the public key is not available

2 Answers2