Ubuntu “GPG error: The following signatures couldn’t be verified” error notice suggests that there is an issue confirming the genuity of software packages downloaded from a repository. Today, we’ll see more about this issue in this post. Bobcares, as a part of our Server Management Service offers solutions to every query that comes our way.

Overview

1. More on “GPG error: The following signatures couldn’t be verified” in Ubuntu
2. Common Causes of the Error
3. Fixes for the Error
4. Important Considerations
5. Conclusion

More on “GPG error: The following signatures couldn’t be verified” in Ubuntu

An issue with confirming the validity of software packages from a repository is shown by the error message “GPG error: The following signatures couldn’t be verified” in Ubuntu. This problem usually occurs when the packages in the repository are signed by GPG keys that are either invalid, missing, or expired.

GPG is a tool that uses cryptographic methods to ensure the authenticity and integrity of software packages. It verifies that packages come from trusted sources and haven’t been tampered with. When repositories are signed with GPG keys, each package comes with a signature. This signature is verified against the public key provided by the repository.

When we see this error, it means Ubuntu’s package manager (like apt) cannot verify the packages’ signatures due to missing or invalid keys. The syntax of the error is the following:

Here,

W: Shows a warn error as opposed to a serious one.

: The location of the faulty repository.

NO_PUBKEY : Shows that the system does not contain the public key that is indicated by .

Common Causes of the Error

1. The main root of this problem is because the system does not currently have the repository’s public key added. This may occur in the event that a new repository is added or the key is modified.

2. Sometimes an incorrect signature problem occurs because the key has either expired or been revoked.

3. Incorrect repository setting in the sources list might cause problems with signature verification.

4. The necessary keys cannot be obtained because the keyserver from which they are received could be unavailable or unresponsive.

5. Incorrect date and time input into the system may cause problems with important validity checks.

Fixes for the Error

1. Importing the Missing Public Key

i. Identify the missing key from the error message (e.g., NO_PUBKEY 871920D1991BC93C).

ii. Import the key using the command:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys

Replace with the actual key ID from the error message.

2. Updating the Keyring: If keys are obsolete or corrupted, then, we must update the keyring:

sudo apt-key update

3. Checking Repository Configuration: We must make sure the repository URLs in /etc/apt/sources.list are correct, as incorrect URLs can cause signature verification issues.

4. Using Alternative Keyservers: If the default keyserver isn’t responding, try an alternative:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys

5. Correcting System Time

i. Ensure the system’s date and time are accurate:

date

ii. Set the correct time if needed:

sudo timedatectl set-time "YYYY-MM-DD HH:MM:SS"

6. Reinstalling the Package: If the problem still continues, we must try remove and reinstall the problematic package:

sudo apt remove  sudo apt install

Important Considerations

1. Make sure the GPG keys we import are from reliable sources. Unverified keys might put the system at risk.

2. Update and verify that the repository keys have not changed on a regular basis. Key rotation may occur on a regular basis in repositories for security purposes.

3. Make backups before modifying any key-related parameters or /etc/apt/sources.list.

4. Verify the accuracy and validity of the URLs in the sources list by checking them again. Key verifications that fail may be caused by incorrect URLs.

5. Make sure the clock on the machine is correct. Time differences may cause expired or future-dated signatures to appear, which might cause problems with signature validation. To maintain automatic system time synchronization, enable NTP.

6. Check the system logs (/var/log/apt) on a regular basis for any faults or warnings pertaining to GPG keys.

[Want to learn more? Click here to reach us.]

Conclusion

To sum up, by considering these points from our Experts, we can effectively manage and resolve GPG errors in Ubuntu while maintaining a secure and stable system.