Upstream apt repository "public key is not available: NO_PUBKEY"

Ujifman · August 22, 2025, 8:31am

Hello, I’ve got

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 2B803E92481EBD09

I suppose some keys changed, but not published.
I’m following exact instructions for using upstream repository

my dockerfile code

    RELEASE_VER="$(lsb_release -s -c)" \
    && wget --no-verbose "https://downloads.skewed.de/skewed-keyring/skewed-keyring_1.1_all_${RELEASE_VER}.deb" \
    && dpkg -i "skewed-keyring_1.1_all_${RELEASE_VER}.deb" \
    && rm -f "skewed-keyring_1.1_all_${RELEASE_VER}.deb" \
    && echo "deb [signed-by=/usr/share/keyrings/skewed-keyring.gpg] https://downloads.skewed.de/apt ${RELEASE_VER} main" > /etc/apt/sources.list.d/skewed.list \
    && apt-get update \

But on the apt-get update step I’ve got an error

Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://downloads.skewed.de/apt bookworm InRelease [7549 B]
Ign:4 https://downloads.skewed.de/apt bookworm InRelease
Fetched 7549 B in 11s (709 B/s)
Reading package lists... Done
W: GPG error: https://downloads.skewed.de/apt bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 2B803E92481EBD09

It was working for about a year before without problems.
My Dockerfile based on bookworm, python:3.11.11-bookworm

tiago · August 22, 2025, 11:55am

This has now been fixed.

Ujifman · August 28, 2025, 1:08pm

Today still not working

9.143 Get:4 https://downloads.skewed.de/apt bookworm InRelease [7549 B]
9.333 Err:4 https://downloads.skewed.de/apt bookworm InRelease
9.333   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 2B803E92481EBD09
9.343 Reading package lists...
10.35 W: GPG error: https://downloads.skewed.de/apt bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 2B803E92481EBD09
10.35 E: The repository 'https://downloads.skewed.de/apt bookworm InRelease' is not signed.

tiago · August 28, 2025, 2:00pm

Did you install the skewed-keyring package version 1.3 exactly as described in Installation instructions – graph-tool: Efficient network analysis with Python ?

If so, please provide the exact commands that are getting you the error, not just the error messages, since that’s useless to debug without the complete context.

TimSlechten · September 1, 2025, 8:19am

Looks like you need to update the keyring version in your dockerfile.

Igor Pronin:

 RELEASE_VER="$(lsb_release -s -c)" \
    && wget --no-verbose "https://downloads.skewed.de/skewed-keyring/skewed-keyring_1.1_all_${RELEASE_VER}.deb" \
    && dpkg -i "skewed-keyring_1.3_all_${RELEASE_VER}.deb" \
    && rm -f "skewed-keyring_1.3_all_${RELEASE_VER}.deb" \
    && echo "deb [signed-by=/usr/share/keyrings/skewed-keyring.gpg] https://downloads.skewed.de/apt ${RELEASE_VER} main" > /etc/apt/sources.list.d/skewed.list \
    && apt-get update \

TimSlechten · September 1, 2025, 10:07am

I’m also still having an issue since the last update. I’m not using the commands as described in the installation instructions though, and on top of I’m unfortunately still stuck with Debian Buster. Part of our dockerfile is the following:

    mv /tmp/graph_tool.list /etc/apt/sources.list.d/ && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-key <key-id> && \

The output of our last successful build:

  "#16 23.98 Executing: /tmp/apt-key-gpghome.6X8X0QXEjW/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-key 612DEFB798507F25",
        "#16 24.35 gpg: key 612DEFB798507F25: public key \"Tiago de Paula Peixoto <tiago@skewed.de>\" imported",
        "#16 24.36 gpg: Total number processed: 1",
        "#16 24.36 gpg:               imported: 1",
        "#16 25.90 Warning: apt-key output should not be parsed (stdout is not a terminal)",
        "#16 27.00 OK",
 ...
        "#16 27.25 Get:5 https://downloads.skewed.de/apt buster InRelease [7540 B]",
        "#16 27.38 Get:6 http://deb.dev.senso2.me buster-backports/main amd64 Packages [3492 B]",
        "#16 27.77 Get:7 https://downloads.skewed.de/apt buster/main amd64 Packages [28.1 kB]",
        "#16 27.81 Fetched 41.2 kB in 1s (54.3 kB/s)",

Recently this started failing:

        "#14 38.41 Err:5 https://downloads.skewed.de/apt buster InRelease",
        "#14 38.41   The following signatures were invalid: REVKEYSIG 7A80C8ED4FCCBE09 Tiago de Paula Peixoto <tiago@skewed.de>",
        "#14 38.41 Reading package lists...",
        "#14 39.07 W: GPG error: https://downloads.skewed.de/apt buster InRelease: The following signatures were invalid: REVKEYSIG 7A80C8ED4FCCBE09 Tiago de Paula Peixoto <tiago@skewed.de>",
        "#14 39.07 E: The repository 'https://downloads.skewed.de/apt buster InRelease' is not signed.",

So I updated the key ID, but now I still get the same error:

        "#17 17.32 Executing: /tmp/apt-key-gpghome.7NGt4ICS9T/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-key 7A80C8ED4FCCBE09",
        "#17 17.84 gpg: key 612DEFB798507F25: public key \"Tiago de Paula Peixoto <tiago@skewed.de>\" imported",
        "#17 17.84 gpg: Total number processed: 1",
        "#17 17.84 gpg:               imported: 1",
        "#17 18.66 Warning: apt-key output should not be parsed (stdout is not a terminal)",
        "#17 19.54 OK",
...
        "#17 19.81 Get:5 https://downloads.skewed.de/apt buster InRelease [7540 B]",
        "#17 20.24 Get:6 http://deb.dev.senso2.me buster-backports/main amd64 Packages [3492 B]",
        "#17 20.37 Err:5 https://downloads.skewed.de/apt buster InRelease",
        "#17 20.37   The following signatures were invalid: REVKEYSIG 7A80C8ED4FCCBE09 Tiago de Paula Peixoto <tiago@skewed.de>",
        "#17 20.37 Reading package lists...",
        "#17 20.81 W: GPG error: https://downloads.skewed.de/apt buster InRelease: The following signatures were invalid: REVKEYSIG 7A80C8ED4FCCBE09 Tiago de Paula Peixoto <tiago@skewed.de>",
        "#17 20.81 E: The repository 'https://downloads.skewed.de/apt buster InRelease' is not signed.",

The odd thing is that it still mentions the old key ID (612DEFB798507F25) being imported. Is this an issue with the key on the key server?

I would align the procedure in our Dockerfile with the installation instructions, but unfortunately there doesn’t appear to be a keyring file for Buster anymore. This is of course understandable, since Buster is EOL for a while now and even its apt repository has been archived by now.

tiago · September 1, 2025, 2:20pm

Indeed, since buster is archived, I can no longer easily build packages for it, as the default images are no longer available.

I have signed the buster Release file with the new key (it has the same ID, only some subkeys have been swapped), so the verification should now work.

But note that you will no longer get any graph-tool updates on buster!

TimSlechten · September 2, 2025, 8:49am

Using the installation instructions and sticking to keyring v1.1 I can now successfully install graph-tool again on Debian Buster.

Thanks again for the quick response!

But note that you will no longer get any graph-tool updates on buster!

Of course, I don’t expect updates for EOL platforms. We’re in the process of migrating to the latest Debian - way too late, admittedly.

Ujifman · September 2, 2025, 3:19pm

Sorry, I didn’t rollback changes. I tried 1.1 version when there was a problem with repository, and forgot to rollback this changes. It work now, thank you