aptly mirror – gpgv: Can’t check signature: public key not found

If you want to mirror repositories from your current aptly server to a new server you must import the GPG key from your old server because you are going to encounter the following error:

gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E
gpgv: Can't check signature: public key not found

Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E

Sometimes keys are stored in repository root in file named Release.key, to import such key:

wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import

ERROR: unable to fetch mirror: verification of detached signature failed: exit status 2

And the mirror command fails. The problem is

you must import the GPG key from your old server in trustedkeys.gpg (even if you have already imported it in the new server with apt-key!!!)

Here is how to list, export and import it (we are going to import it in default and trustedkeys.gpg, because it is more convenient, but it is not mandatory to be in the default).

Before we begin here is the problem listing the default and trustedkeys keyring:
The old server:

root@srv-aptly-1:~# gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys
/root/.gnupg/trustedkeys.gpg
----------------------------
pub   2048D/FDC7A25E 2017-09-16
uid                  My-aptly (aptly key no passphrase) <my-aptly@example.com>

root@srv-aptly-1:~# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048D/FDC7A25E 2017-09-16
uid                  My-aptly (aptly key no passphrase) <my-aptly@example.com>

root@srv-aptly-1:~# apt-key list|grep -A 1 FDC7A25E
pub   2048D/FDC7A25E 2017-09-16
uid                  My-aptly (aptly key no passphrase) <my-aptly@example.com>

The new server:

root@srv-aptly-2:~# gpg --no-default-keyring --keyring trustedkeys.gpg --list-keys
root@srv-aptly-2:~# 
root@srv-aptly-2:~# gpg --list-keys
root@srv-aptly-2:~#
root@srv-aptly-2:~# apt-key list|grep -A 1 FDC7A25E
pub   2048D/FDC7A25E 2017-09-16
uid                  My-aptly (aptly key no passphrase) <my-aptly@example.com>

As you can see the key is missing in the new server’s GPG, but it is imported in apt system. You must import it in your system with the GPG tool! apt keys are used only with apt package system and not with the aptly, which uses more generic configuration with GPG. Yes, if you want to use your repository, this key must be imported with apt-key, but it is not enough for your mirrored aptly server.

Here is how to do it:
Export the public GPG key from your old server (the cat command is show you what is the content of the file and how should look a GPG exported public key):

root@srv-aptly-1:~# gpg --no-default-keyring --keyring trustedkeys.gpg --export --armor FDC7A25E > pub-FDC7A25E.key
root@srv-aptly-1:~# cat pub-FDC7A25E.key
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQILdjitiexuangai1aiP0ahtohqu3hiej2chaiduT3Fee5euxaithee1xie6aic
eiReip6jobi3phaiph0hoo5bee9abahdeiyaitieriCh0oming4shai4Achaegus
ais0ze8pooHacharai3thi4CeiGi9ci3bephiaDeiboch0Pop9ohg8phooqu1ohW
MithaisaeS7eimoh0CahyeilooPheeweiloGhooGh4odie0fohXekail6Co0Aev5
ooc7Aekohfaed5Iephepohnga5Yaitohnunahshohd8meew7VaixouTie8Io8OoT
ang9AhlozahSaeji6iet0Iv9ahB3mohTo9ogh6eeneica4yiegauwufohraekeel
ahphieFooShei7Jah5je2aikoow9aosh3Odae7ochor7chaiShor8Hae2uikahpo
Auxaachi7aY9Ohlie5Eequ5oqueaboofiaphugauPo1eiheetofo7ahzoh0Eisie
vootie3eJo8um2aXeef9leki8iefo5moob9uyahv2hohz2doo4pheezo1se2ohvu
JeeCeiwie8queexahcai6looNeshe2OoTh9ahGhaiyer6ShohphieChahfaephu5
Teiy0hahCh8Foahu2phah7ta3aiShooNg6chair9ax5Thu2phi4za1eph1oothoo
ooTh4gah1aengaim4FaefiecheicoPh1geez2tae8oith9iemuiv7eiphaivoh5e
hao2quaij1saec7cie7ooha2to0LiNg6Jumeid7quuv2eeT7Kohb4eigeic6thoo
ahleic3rei1lairaojei0Loo5eXaoquahseingahkah7aimahPheefiseedoh6th
wix7uxie7ahfieChie3lohL2jai3Em0su9fooVaehahquochei9eeNingual6aij
ahhoowae3quoo5nee4ia4aela7ekierahng7fo8wahngo6oquer9ohRosohyelog
choomohdiethuHoo6raipohngie9Iayoudah0iy8eeje4rooku7Aire1vush9chi
pieshee8dohdaweeGo0Opohgun2aif5eegh8ooJaho5ui7aph0me5xu0eiZoongu
maizooDeib9viephooY6chaitai6aiv7xoopaph1ouRohwaiv5seo0theigh2eiM
eepoobilainge7aiyoh6na4Gu5shaeng6za6ooSheil8aem5ae4AhZai6iloduvu
wix7uxie7Ggg==
=PX7K
-----END PGP PUBLIC KEY BLOCK-----

Upload the file generated from the old server and import it in the new server:

root@srv-aptly-2:~# cat ./pub-FDC7A25E.key| gpg --no-default-keyring --keyring trustedkeys.gpg --import
gpg: key FDC7A25E: public key "My-aptly (aptly key no passphrase) <my-aptly@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@srv-aptly-2:~# gpg --import ./pub-FDC7A25E.key 
gpg: key FDC7A25E: public key "My-aptly (aptly key no passphrase) <my-aptly@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
root@srv-aptly-2:~# apt-key list|grep -A 1 FDC7A25E
pub   2048D/FDC7A25E 2017-09-16
uid                  My-aptly (aptly key no passphrase) <my-aptly@example.com>

The key FDC7A25E is successfully imported and you may proceed in mirroring your server with aptly.

And now if you execute your mirror command the signature is recogized:

root@srv:~# aptly --config="/etc/aptly/.aptly.conf" mirror create -architectures=amd64 salt http://aptly-srv1.example.com/ubuntu xenial-myrepo main
Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/InRelease...
gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E
gpgv: Good signature from "My-aptly (aptly key no passphrase) <my-aptly@example.com>"

Mirror [main]: http://aptly-srv1.example.com/ubuntu/ xenial-myrepo successfully added.
You can run 'aptly mirror update main' to download repository contents.

The whole output of the error

root@srv:~# aptly --config="/etc/aptly/.aptly.conf" mirror create -architectures=amd64,i386,source salt http://aptly-srv1.example.com/ubuntu xenial-myrepo main

Looks like your keyring with trusted keys is empty. You might consider importing some keys.
If you're running Debian or Ubuntu, it's a good idea to import current archive keys by running:

  gpg --no-default-keyring --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring trustedkeys.gpg --import

(for Ubuntu, use /usr/share/keyrings/ubuntu-archive-keyring.gpg)

Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/InRelease...
gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E
gpgv: Can't check signature: public key not found

Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E

Sometimes keys are stored in repository root in file named Release.key, to import such key:

wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import

Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/Release...
Downloading http://aptly-srv1.example.com/ubuntu/dists/xenial-myrepo/Release.gpg...
gpgv: Signature made Fri 22 Apr 2019 17:35:04 AM UTC using DSA key ID FDC7A25E
gpgv: Can't check signature: public key not found

Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 181482CCFDC7A25E

Sometimes keys are stored in repository root in file named Release.key, to import such key:

wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import

ERROR: unable to fetch mirror: verification of detached signature failed: exit status 2

NOTE

Just to note here we give you all the examples with the root user and the GPG keys are for the root user. You may use a different user for the aptly process and you must ensure the GPG keys to present for this user (the directories and files are the same, just home directory is different – the home directory of the aptly user i.e. “/[my-aptly-home-directory]/.gnupg/trustedkeys.gpg” and for all other GPG files “/[my-aptly-home-directory]/.gnupg/”).

Leave a Reply

Your email address will not be published.