🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Debian 9

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

`apt update` fails with NO_PUBKEY or unsigned repository errors.

Environment & Reproduction

Common after adding third-party repositories manually.

sudo apt update
grep -RIn '^deb' /etc/apt/sources.list /etc/apt/sources.list.d

Root Cause Analysis

Repository signing keys are missing, expired, or not referenced via signed-by.

Quick Triage

Identify failing repo and missing key IDs.

sudo apt update 2>&1 | tee /tmp/apt-signature.log
grep -E 'NO_PUBKEY|EXPKEYSIG|The following signatures' /tmp/apt-signature.log

Step-by-Step Diagnosis

Audit source files for signed-by and legacy keyring usage.

grep -RIn 'signed-by' /etc/apt/sources.list.d /etc/apt/sources.list
ls -l /usr/share/keyrings
apt-key list 2>/dev/null || true
Illustrative mockup for debian-9 β€” terminal_or_shell
Identifying unsigned or missing-key repositories β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install correct keyring and update source entry to use signed-by.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo install -d -m 0755 /usr/share/keyrings
curl -fsSL https://example.repo/key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/example.gpg
echo 'deb [signed-by=/usr/share/keyrings/example.gpg] https://example.repo/debian stable main' | sudo tee /etc/apt/sources.list.d/example.list
sudo apt update
Illustrative mockup for debian-9 β€” log_or_config
Installing correct keyrings and source entries β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Temporarily disable problematic repository until key is verified.

sudo sed -i 's/^deb/#deb/' /etc/apt/sources.list.d/example.list
sudo apt update

Verification & Acceptance Criteria

`apt update` completes without signature-related errors.

sudo apt update
sudo apt-cache policy | head -n 120

Rollback Plan

Remove newly added keyring and source file if trust cannot be established.

sudo rm -f /usr/share/keyrings/example.gpg
sudo rm -f /etc/apt/sources.list.d/example.list
sudo apt update

Prevention & Hardening

Use repository-specific keyrings and avoid deprecated global key imports.

grep -RIn '^deb ' /etc/apt/sources.list.d
ls -l /usr/share/keyrings

Often paired with TLS handshake failures or proxy MITM certificate issues.

Related tutorial: View the step-by-step tutorial for Debian 9.

View all Debian 9 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Debian apt-secure and repository signing-key guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.