π ~1 min read
Table of contents
Symptom & Impact
apt update refuses repository metadata and prevents package retrieval from affected sources.
Environment & Reproduction
Common after adding third-party repositories without correct signed-by keyring configuration.
Root Cause Analysis
Repository signing key is missing, expired, or not referenced by the source list entry.
Quick Triage
Disable untrusted source entries temporarily and confirm Debian official repos continue to validate.
Step-by-Step Diagnosis
Review apt source files, keyrings under /usr/share/keyrings, and apt-secure output.
Solution – Primary Fix
Install correct vendor key into a dedicated keyring and add signed-by to the relevant source stanza.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Remove unused third-party repositories and rely on Debian package sources when possible.
Verification & Acceptance Criteria
apt update completes with no NO_PUBKEY, EXPKEYSIG, or unsigned repository warnings.
Rollback Plan
Restore prior source list and keyring files from backup if trust chain cannot be validated.
Prevention & Hardening
Track repository key expiration dates and enforce signed-by usage for each external source.
Related Errors & Cross-Refs
NO_PUBKEY; EXPKEYSIG; repository is not signed; key is stored in legacy trusted.gpg.
Related tutorial: View the step-by-step tutorial for debian-12.
View all debian-12 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
apt-secure documentation, Debian repository guidelines, and vendor key rotation notices.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
