NO_PUBKEY error

dejanbatic

I installed Vivaldi last month on Ubuntu with no issues using this:

wget -qO- http://repo.vivaldi.com/stable/linux_signing_key.pub | sudo apt-key add -
sudo add-apt-repository "deb [arch=i386,amd64] http://repo.vivaldi.com/stable/deb/ stable main"

But now when I try it, I get this error after doing
apt-get update:

Ign:7 http://repo.vivaldi.com/stable/deb stable Release.gpg                                                                                
Reading package lists... Done                                                                                                              
W: GPG error: http://repo.vivaldi.com/stable/deb stable Release: The following signatures couldn't be verified because the public key is n
ot available: NO_PUBKEY 8D04CE49EFB20B23                                                                                                  
E: The repository 'http://repo.vivaldi.com/stable/deb stable Release' is not signed.                                                     
N: Updating from such a repository can't be done securely, and is therefore disabled by default.                                        
N: See apt-secure(8) manpage for repository creation and user configuration details.

Help please.

dejanbatic

@Gwen-Dragon
Thanks.

Then the updates has to be performed manually I guess?

LDighera

https://askubuntu.com/questions/20725/gpg-error-the-following-signatures-couldnt-be-verified-because-the-public-key

References: How do I fix the GPG error "NO_PUBKEY"?
Run the following in your terminal,

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3C962022012520A0
sudo apt-get update

You need to replace the key (3C962022...) with the one that is displayed in the error message in the terminal.

Christian.Rauch

I am getting the same error now:

W: GPG error: http://repo.vivaldi.com/stable/deb stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 793FEB8BB69735B2
E: The repository 'http://repo.vivaldi.com/stable/deb stable Release' is not signed.

I followed the Obtain official builds and check their signatures documentation to obtain the key manually from https://repo.vivaldi.com/stable/linux_signing_key.pub. Although I get a GOODSIG for the newest vivaldi-stable_3.5.2115.87-1_amd64.deb, importing the key does not solve my apt update key signing issue.

Purging and reinstalling via the deb package did not help.

Christian.Rauch

@Gwen-Dragon

$ apt-key list | grep -B4 vivaldi
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub   rsa4096 2018-01-05 [SC] [expired: 2020-01-25]
      68AE AE71 F9FA 1587 03C1  CBBC 8D04 CE49 EFB2 0B23
uid           [ expired] Vivaldi Package Composer KEY04 <[email protected]>

pub   rsa4096 2018-12-04 [SC] [expires: 2021-01-22]
      B44B 85E3 E1A6 386B FC79  D411 9658 E804 4A3A A3D6
uid           [ unknown] Vivaldi Package Composer KEY05 <[email protected]>

Importing the keys as per APT section in the manual installation instructions gives me:

gpg: key 4ABE1AC7557BEFF9: 1 signature not checked due to a missing key
gpg: key 4ABE1AC7557BEFF9: 1 signature not checked due to a missing key
gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key

Christian.Rauch

@Gwen-Dragon said in NO_PUBKEY error:

sudo apt-key del EFB20B23

Ah, I was already wondering if there is a way to remove these keys again.

I did

delete both keys and got for both gpg: keyblock resource '(null)': General error which does not sound good
gpg --import linux_signing_key.pub again, got response gpg: key 793FEB8BB69735B2: "Vivaldi Package Composer KEY06 <[email protected]>" not changed
apt update and received the same error: NO_PUBKEY 793FEB8BB69735B2

Not sure what is going on here. Previously I got a different NO_PUBKEY (8D04CE49EFB20B23). This time, the imported key matches the one that is apparently missing. I also delete and imported 793FEB8BB69735B2 again to no avail.

I tested this on another PC and VM and got no such errors. However, I encountered many APT key-signing issues during my Linux lifetime (but managed to fix them in some way).

I wish Vivaldi would publish a snap package like Opera does https://snapcraft.io/opera. I never had issues updating those. A browser that does not update is kind of awkward

Christian.Rauch

@Gwen-Dragon said in NO_PUBKEY error:

Why do you import the key for apt with gpg?

That's how the debs are verified in https://help.vivaldi.com/desktop/install-update/obtaining-official-builds/.

Importing the key via sudo apt-key add linux_signing_key.pub gives the same results.

becm

@Christian-Rauch assuming you use a up-to-date download of linux_signing_key.pub,

apt-key add linux_signing_key.pub

inserts a new key to /etc/apt/trusted.gpg and the error should be gone.
Vivaldi Package Composer KEY06 is required since 2021-01-07.

Regular gpg operates on the user keyring in ~/.gnupg, which is ignored by apt.

The 3 locations apt looks for repo signing keys:

/etc/apt/trusted.gpg (deprecated, still used by the Vivaldi/Chromium install/cron script)
files in /etc/apt/trusted.gpg.d folder (for distribution-owned keys)
keyring supplied via signed-by attribute for the respective repo entry in /etc/apt/sources.list.d/* file

Christian.Rauch

Thanks for all your efforts. I finally found the root cause and could solve the initial issue.

I think you are all curious now about how to solve it

Issue

I am affected by https://github.com/openSUSE/software-o-o/issues/842. My apt-key is simply not able to import any new keys since I used to have a key isv:ownCloud:desktop.asc.gpg.
This key does not exist anymore but my apt-key nevertheless reports:

gpg: invalid key resource URL '/tmp/apt-key-gpghome.1wErLiXK1B/isv:ownCloud:desktop.asc.gpg'
gpg: keyblock resource '(null)': General error

where 1wErLiXK1B is just a random hash. That file is generated on the fly and there is no way to delete it.

It is just that the new Vivaldi key from the update on the 7th Jan. was the first key that got imported in a long time and presented the issue. The same issue happens with the official Google Chrome deb package.

Solution

import the public Vivaldi key via gpg gpg --import linux_signing_key.pub
export GnuPG gpg --export [email protected] > vivaldi.gpg
move gpg key to apt keys: sudo mv vivaldi.gpg /etc/apt/trusted.gpg.d/
delete the gpg key again: gpg --delete-keys [email protected]

Now, apt-key list shows me:

/etc/apt/trusted.gpg.d/vivaldi.gpg
----------------------------------
pub   rsa4096 2019-11-12 [SC] [expires: 2022-01-30]
      790D 2E26 8F67 FE01 3B32  76D3 793F EB8B B697 35B2
uid           [ unknown] Vivaldi Package Composer KEY06 <[email protected]>
sub   rsa4096 2019-11-12 [E] [expires: 2022-01-30]

and I can finally use apt again to update Vivaldi.

Note that this only imports the key manually and does not solve the root apt-key add issue.

It would be great if Vivaldi could in future just provide the .gpg in the .deb package so that it does not have to be imported via a script. This would be more robust.

Christian.Rauch

@Gwen-Dragon Yes, the same issue appears with Google Chrome. Nevertheless, the key import would be more robust if the gpg would be provided in the deb package.

Vistaus

I have the same issue with apt on Deepin 20, based on Debian 10. So I think there's a bug in apt somewhere.

CtrlAltDel

@Gwen-Dragon said in NO_PUBKEY error:

It tried on Debian 10, Ubuntu 20, Mint 20, Debian Testing and did not get trouble with keys for apt. Really a weird issue with the apt on your one Linux PC.

I too have this very same issue while using Linux Mint 20.1. I've tried all of the solutions suggested on this page and it did not change the situation. About a month ago, I unsuccessfully tried other suggestions from another site.

Therefore, after many years of being a happy Vivaldi user, I have uninstalled it, much to my regret. I have several other .deb installed programs and only have this problem with Vivaldi.

While I understand no tears will be shed for losing a single user, it is nevertheless a great disappointment to me. Many people don't have time to figure out why a program doesn't work and I suppose I am now one of those. I tried to run down a few things listed on this page and it didn't help so, really, I'm just tired of trying to fix it myself.

I've tried the instructions listed here:

Fix

No matter what I do,it always ends up like this:

Goodbye, Vivaldi. I'll check back in from time to time and see if I am able to use you again.

Dancer18

@CtrlAltDel
Such individual issues happen with any apps or operating systems. There are unknown interferences causing nonfunctions.

Look at firefox forums, linux forums, windows forums. There always are some trouble issues few people experience.

To really find what is causing the failure isn't successful sometimes.

But don't blame Vivaldi for it. I'm running Vivaldi on 2 machines with Linux Mint 20.1 and on Windows 10 without any issues, except some cases with the calendar.

Vistaus

@Gwen-Dragon said in NO_PUBKEY error:

wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | sudo apt-key add -

It might work fine still on Ubuntu LTS and Debian Stable, but it doesn't work anymore on newer Debian versions like Debian Unstable, however, because apt-key is deprecated and fails to work:

wget -qO- https://repo.vivaldi.com/archive/linux_signing_key.pub | sudo apt-key add -
Warning: 'apt-key' is deprecated and should not be used anymore!
Note: In your distribution this command is a no-op and can therefore be removed safely.
Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Vistaus

In fact, apt-key is so deprecated that it will be removed after Debian 11 and Ubuntu 22.04: https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
"What's more, "apt-key will last be available in Debian 11 and Ubuntu 22.04.""

becm

This should only become a major issue if @ruarí procrastinates until Ubuntu 22.09 :face_with_stuck-out_tongue_winking_eye:.
And for users of distros with an early/botched apt transition.

Apart from manual operations, this will also affect the cron script (still) shipped with Vivaldi.

As a "single package" type application, Vivaldi could (with different locations/names for stable/snapshot):

ship the keyfile with the package (and drop the cron script)
create/remove the sources.list.d file via postinstall/-remove scripts
use [signed-by=.../vivaldi-browser.gpg] in the generated sources.list.d file

as shown in @Gwen-Dragon's linked wiki entry.

The advantages/disadvantes in regard to update stability in my opinion are equivalent to the current approach.

becm

As intermediate solution the working alternative command for users is:

curl https://repo.vivaldi.com/stable/linux_signing_key.pub | gpg --dearmor > /etc/apt/trusted.gpg.d/vivaldi-browser.gpg

to place the key into a separate supported keystore (as also shown in the Debian Wiki entry linked by @Gwen-Dragon.

The ASCII import in the cron script can also be replaced by a simple copy of a prepared (binary) key file (as opposed to use [signed-by=…], for whatever reasons).

becm

@Gwen-Dragon the one-liner (one has to C&P anyway) containing the source URL is quite similar.

Not modifying a keyring reduces dependencies to very basic GnuPG components.

If @ruarí pushes keyfiles according to current best practices the dependency on GnuPG can also be removed for this workflow (no dearmor step required).

CtrlAltDel

@becm said in NO_PUBKEY error:

@Gwen-Dragon the one-liner (one has to C&P anyway) containing the source URL is quite similar.

Not modifying a keyring reduces dependencies to very basic GnuPG components.

If @ruarí pushes keyfiles according to current best practices the dependency on GnuPG can also be removed for this workflow (no dearmor step required).

This is all very interesting and, frankly, complicated for those that aren't deeply involved with the inner workings of Vivaldi.

Let's just say that I wish to install Vivaldi and have it work without displaying errors, and jamming up the Software Sources repositories manager GUI in Mint 20.1.

Should I just wait until some undetermined time in the future until maybe everything will work normally again? Should I go ahead and try another route to temporarily fix the issue?

If you were me and just wanted to use Vivaldi, what would you do? Can you provide precise instructions on what to do, if it isn't too much of a hassle?

Install by .deb file?
Run the curl command that you provided in previous post?
What exactly should I do and in what order should it be done in to get Vivaldi back and operating smoothly?
Can it be done?

I've tried all the suggestions this thread and the other thread on the board discussing it and nothing seems to work. What do I need to do?

becm

@CtrlAltDel if Mint actually deprecated/broke apt-key add prematurely, then for now the only workflow I see that could work is:

install via .deb file (adds repo, uses apt-key add to add key)
manually add the Vivaldi repo key as a separate entity in /etc/apt/trusted.gpg.d/ (curl … | gpg --dearmor > …)

The 2nd step will have to be repeated on Vivaldi maintainer key rotation (yearly).
Normally this is handled by a cron script (instead of on install time, but that's another story…), which now also fails due to using apt-key add.