🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Debian 13

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

apt update fails with NO_PUBKEY or signature verification errors.

Environment & Reproduction

Common after adding third-party repositories without proper key setup.

cat /etc/os-release
sudo apt update
ls /etc/apt/keyrings

Root Cause Analysis

Repository metadata cannot be trusted because key material is missing or mismatched.

Quick Triage

Identify the failing repo and missing key fingerprint.

sudo apt update 2>&1 | grep -E 'NO_PUBKEY|EXPKEYSIG|BADSIG'
grep -R '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d

Step-by-Step Diagnosis

Validate repository definitions and associated signed-by key files.

grep -R 'signed-by' /etc/apt/sources.list /etc/apt/sources.list.d
ls -l /etc/apt/keyrings
sudo gpg --show-keys /etc/apt/keyrings/*.gpg
Illustrative mockup for debian-13 β€” terminal_or_shell
Diagnostic output for package-management/repo-signing β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install the correct vendor key in /etc/apt/keyrings and update source entry.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://example.vendor/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/vendor.gpg
sudo chmod 0644 /etc/apt/keyrings/vendor.gpg
sudo apt update
Illustrative mockup for debian-13 β€” log_or_console
Resolution output for package-management/repo-signing β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Disable untrusted repository until key management is corrected.

sudo sed -i 's/^deb/# deb/g' /etc/apt/sources.list.d/vendor.list
sudo apt update

Verification & Acceptance Criteria

apt update completes without signature warnings or failures.

sudo apt update
apt-cache policy

Rollback Plan

Restore previous source files and keyrings from backup.

sudo cp -a /root/apt-backup/* /etc/apt/
sudo apt update

Prevention & Hardening

Use per-repository signed-by keys and avoid deprecated apt-key usage.

man sources.list
man apt-secure

Related messages include repository is not signed and EXPKEYSIG.

Related tutorial: View the step-by-step tutorial for Debian 13.

View all Debian 13 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Debian apt-secure and signed-by documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.