🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

apt update exits with NO_PUBKEY and repository signatures are rejected. Security updates stop, automation pipelines fail, and patch compliance reports become inaccurate for Ubuntu 22.04 systems.

Environment & Reproduction

Ubuntu 22.04 LTS host includes third-party repositories migrated from apt-key usage. Reproduce by running apt update after key expiration, key removal, or mirror metadata refresh.

Root Cause Analysis

Modern Ubuntu expects keyrings referenced by signed-by options. Legacy global trust via apt-key is deprecated, and missing or incorrect keyring files break apt-secure validation.

Quick Triage

Identify which repository failed and verify whether its key file exists under /usr/share/keyrings. Confirm source list syntax before importing any new key material.

Step-by-Step Diagnosis

Map the missing key ID to the failing repository, inspect source list entries, and verify the signed-by path points to a readable keyring file.

Illustrative mockup for ubuntu-22-04-lts β€” apt_nopubkey_error
apt update output showing missing repository signing key β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Create or refresh the repository keyring using gpg dearmor, update source entry with signed-by, then re-run apt update to confirm signature trust chain is valid.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for ubuntu-22-04-lts β€” signed_by_keyring_fix
Repository fixed using dedicated keyring and signed-by β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Remove unused third-party repositories, switch to official Ubuntu packages, or use vendor-provided deb package that installs repository and keyring in supported format.

Verification & Acceptance Criteria

apt update completes without NO_PUBKEY or EXPKEYSIG messages, all configured repositories are signed, and unattended-upgrades resumes normal operation.

Rollback Plan

If trust configuration causes unexpected package source changes, disable the new list file, restore previous list backup, and pin critical packages until review is complete.

Prevention & Hardening

Track key expiration dates, avoid apt-key usage, enforce repository allow-listing, and keep source definitions in configuration management with periodic compliance checks.

Closely related to Release file signature errors, Hash Sum mismatch after proxy caching, and broken list files from unsupported PPAs on jammy.

Related tutorial: View the step-by-step tutorial for Ubuntu 22.04 LTS.

View all Ubuntu 22.04 LTS tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

See apt-secure documentation, Ubuntu packaging best practices, and man pages for sources.list(5), apt-key(8) deprecation notes, and gpg(1).

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.