📖 ~1 min read
Table of contents
Symptom & Impact
apt update fails with NO_PUBKEY and security updates are delayed.
Environment & Reproduction
Ubuntu 16.04 host with third-party sources in /etc/apt/sources.list.d.
Root Cause Analysis
Repository signing key is missing, expired, or mapped to the wrong trusted key location.
Quick Triage
Run apt update and capture the key fingerprint shown in the NO_PUBKEY output.
Step-by-Step Diagnosis
Review source entries and key material under /etc/apt/trusted.gpg.d and related key files.
Solution – Primary Fix
Import the correct vendor key, update repo trust settings, and rerun apt update.
Still having issues? Our Managed IT Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Disable the broken third-party repository until a valid signed source is available.
Verification & Acceptance Criteria
apt update completes without GPG errors and package lists refresh normally.
Rollback Plan
Remove newly added keys and restore previous repository configuration.
Prevention & Hardening
Use per-repository key management and monitor key expiry proactively.
Automate patch management and compliance across your fleet with our DevOps services.
Related Errors & Cross-Refs
EXPKEYSIG and BADSIG messages are related trust-chain failures.
Related tutorial: View the step-by-step tutorial for Ubuntu 16.04 LTS.
View all Ubuntu 16.04 LTS tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Ubuntu apt-secure and repository signing guidance.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
