Apt-get The following signatures couldn’t be verified because the public key is not available


I've created own Debian repository and have this problem.

I know about

  • --ignore-release-gpg


  • gpg --keyserver pgp.mit.edu --recv-keys xxxxxxxxx
  • gpg --armor --export xxxxxxxxx | apt-key add -

Two questions:

  1. why apt-get doesn't import this public key from online repository automatically?
  2. why I don't see this message with other repositories?

Best Solution

To answer #1: It is a security mechanism in its design. APT is not human and doesn't know what or who to trust. Only import keys in your keyring of people you trust. GPG verification prevents man-in-the-middle attacks on package contents and verifies the integrity of the package to be in the same state as it was when uploaded to the archive/repository. This way even admins on the official mirrors are not able to tamper the files without you noticing it. See also this question.

And #2: Some keys are installed on installation time. The main keys of the Debian archives and Debian Developers are in the package debian-keyring and marked as trusted for use with apt.

Back to your goal - maintaining your own Debian packages repository without these errors. The best solution would be to sign all packages in the archive and let the users of your repositories install your public key. This is how it works usually, see for example how VirtualBox.org handles this.

Some random pitfall: Don't forget to run apt-get update (or aptitude update) after you add new keys.

If you're using Ubuntu and building free software, consider using a PPA. Ubuntu's PPAs (Personal Package Archives) come with neat user friendly scripts to install the repositories along with the GPG keys used for verification. (apt-add-repository ppa:my-ppa/myarchive)

Some websites mention how to disable verification for APT by setting APT::Get::AllowUnauthenticated yes; in its configuration. I would really not recommend doing this as it affects all repositories.

Related Question