🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Ubuntu 26.04 LTS

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

apt update fails with NO_PUBKEY, blocking package installation and security updates.

Environment & Reproduction

Occurs after adding a third-party repository without a valid signed-by keyring.

grep -R '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d -n
apt update

Root Cause Analysis

Repository metadata is signed by a key that is missing, expired, or stored in the wrong keyring path.

Quick Triage

Confirm apt source entries, keyring files, and current trust state.

apt-config dump | grep -i -E 'trusted|keyring'
ls -l /usr/share/keyrings
journalctl -u apt-daily.service -n 40 --no-pager

Step-by-Step Diagnosis

Identify the failing repository and check whether signed-by points to an existing keyring.

apt update 2>&1 | tee /tmp/apt-update.log
grep -i -E 'NO_PUBKEY|EXPKEYSIG|The following signatures' /tmp/apt-update.log
grep -R 'signed-by' /etc/apt/sources.list.d -n
Illustrative mockup for ubuntu-26-04-lts — apt_nopubkey_diagnosis
NO_PUBKEY errors during apt update — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Install the vendor key into /usr/share/keyrings and reference it with signed-by.

Still having issues? Our Managed IT Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo mkdir -p /usr/share/keyrings
curl -fsSL https://example.com/repo.gpg | sudo gpg --dearmor -o /usr/share/keyrings/example-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/example-archive-keyring.gpg] https://example.com/apt stable main' | sudo tee /etc/apt/sources.list.d/example.list >/dev/null
sudo apt update
Illustrative mockup for ubuntu-26-04-lts — apt_nopubkey_fixed
Repository keyring corrected and apt update succeeds — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Disable the repository temporarily while validating vendor key distribution.

sudo sed -i 's|^deb |# deb |' /etc/apt/sources.list.d/example.list
sudo apt update

Verification & Acceptance Criteria

apt update completes without NO_PUBKEY, and package metadata is fully refreshed.

apt update
apt policy | sed -n '1,80p'

Rollback Plan

Remove the added source and keyring if repository trust cannot be confirmed.

sudo rm -f /etc/apt/sources.list.d/example.list
sudo rm -f /usr/share/keyrings/example-archive-keyring.gpg
sudo apt update

Prevention & Hardening

Use signed-by per source and track key expiry in configuration management.

Automate patch management and compliance across your fleet with our DevOps services.

apt-key list 2>/dev/null || true
grep -R 'signed-by' /etc/apt/sources.list.d -n

Often appears with EXPKEYSIG, repository InRelease signature failures, or TLS interception issues.

Related tutorial: View the step-by-step tutorial for Ubuntu 26.04 LTS.

View all Ubuntu 26.04 LTS tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Ubuntu apt-secure documentation and vendor repository signing guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.