🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Ubuntu 26.04 LTS

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

apt update is blocked by signature verification errors and package metadata is unusable.

Environment & Reproduction

Occurs with expired keys, missing signed-by entries, or migrated keyring locations.

sudo apt update
grep -R '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d
ls /etc/apt/keyrings

Root Cause Analysis

Repository source points to a key that is missing, expired, or not referenced in source definition.

Quick Triage

Capture exact key fingerprint and source list file producing NO_PUBKEY.

sudo apt update 2>&1 | grep -i 'NO_PUBKEY|signature'
grep -R 'signed-by' /etc/apt/sources.list*

Step-by-Step Diagnosis

Verify keyring format and ownership and map it to repository entry.

file /etc/apt/keyrings/*.gpg
ls -l /etc/apt/keyrings
apt-cache policy
Illustrative mockup for ubuntu-26-04-lts — terminal_or_shell
Diagnostic output for package-management/repo-keys — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Install correct repository key into keyring and bind source with signed-by.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

curl -fsSL https://REPO/KEY.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/repo.gpg
sudo chmod 644 /etc/apt/keyrings/repo.gpg
sudoedit /etc/apt/sources.list.d/repo.list
sudo apt update
Illustrative mockup for ubuntu-26-04-lts — log_or_console
Resolution output for package-management/repo-keys — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Temporarily disable failing third-party repository if key trust cannot be established.

sudo sed -i 's/^deb/# deb/g' /etc/apt/sources.list.d/repo.list
sudo apt update

Verification & Acceptance Criteria

Accepted when apt update completes with no signature or key errors.

sudo apt update
apt policy | head -n 40

Rollback Plan

Restore prior repository file and keyring backup if package source compatibility breaks.

sudo cp -a /root/repo.list.bak /etc/apt/sources.list.d/repo.list
sudo cp -a /root/repo.gpg.bak /etc/apt/keyrings/repo.gpg
sudo apt update

Prevention & Hardening

Track key expiry dates and rotate keyrings before expiration windows.

gpg --show-keys /etc/apt/keyrings/repo.gpg
sudo apt update

Related messages include NO_PUBKEY, repository is not signed, and key is stored in legacy trusted.gpg keyring.

Related tutorial: View the step-by-step tutorial for Ubuntu 26.04 LTS.

View all Ubuntu 26.04 LTS tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

apt-secure documentation, Ubuntu keyring migration guidance, and vendor repository setup docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.