🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

apt update reports NO_PUBKEY and refuses to trust repository metadata. Package updates stop, leaving security patches unapplied.

Environment & Reproduction

Seen after adding PPAs, rotating repository signing keys, or rebuilding old Ubuntu 16.04 images. Reproduce with stale trusted.gpg keyring entries.

Root Cause Analysis

APT cannot validate Release signatures because required public keys are missing or changed. Strict apt-secure checks block index acceptance.

Quick Triage

Capture key IDs from apt output and list current keys with apt-key list. Check which source file references the failing repository.

Step-by-Step Diagnosis

Map each NO_PUBKEY fingerprint to repository owner documentation. Validate TLS reachability and proxy behavior before importing any key material.

Illustrative mockup for ubuntu-16-04-lts β€” ubuntu1604-b01-p04-diagnosis
apt update fails with NO_PUBKEY warnings β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Import the correct signing key from the vendor-approved endpoint, then run sudo apt update again. Remove obsolete or compromised keys from trusted keyrings.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for ubuntu-16-04-lts β€” ubuntu1604-b01-p04-fix
missing key imported and repo trusted state restored β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use internally mirrored repositories with curated key management, or migrate to signed-by keyring files per source instead of global trust.

Verification & Acceptance Criteria

apt update completes without GPG signature warnings, and repository metadata is marked trusted. Target package installs normally.

Rollback Plan

Remove newly imported key and source entries if verification still fails. Restore prior keyring backup and revert source list changes.

Prevention & Hardening

Track key expiry dates, enforce signed-by usage, and audit trusted keys regularly. For Ubuntu 16.04 estates, lock approved repository sources in config management.

Related to InRelease verification failures, Release file changed notices, and HTTPS certificate chain issues.

Related tutorial: View the step-by-step tutorial for Ubuntu 16.04 LTS.

View all Ubuntu 16.04 LTS tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

apt-secure(8), Ubuntu repository signing guidance, and internal cryptographic trust policy docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.