Linux GPG Key Error — NO_PUBKEY Fix

What Does This Error Mean?

GPG key errors appear when your Linux package manager cannot verify that downloaded packages came from a trusted source. You see messages like 'NO_PUBKEY [key-id]' or 'The following signatures couldn't be verified because the public key is not available.' This is a security check — you need to import the correct GPG key for the repository to fix it.

Affected Models

Ubuntu
Debian
Linux Mint
Raspberry Pi OS
Pop!_OS
Kali Linux

Common Causes

A repository's GPG key was not added when the repository was configured
The GPG key has expired and the repository owner has published a new one
You added a third-party repository but forgot to import its signing key
The system's keyring is corrupted or missing entries
A PPA (Personal Package Archive) was added from a different distribution version and its key does not match

How to Fix It

Read the exact key ID from the error message. The error shows a key ID like NO_PUBKEY B05498B7AB58B797 — copy this ID carefully. You will need it in the next step.

The key ID is the long hex string in the error message. Every GPG key has a unique ID.
Import the missing key. Run: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [KEY-ID] (replace [KEY-ID] with the actual key from the error message).

On newer Ubuntu and Debian versions, apt-key is deprecated. The modern alternative is: sudo gpg --keyserver keyserver.ubuntu.com --recv-keys [KEY-ID] && sudo gpg --export [KEY-ID] | sudo tee /etc/apt/trusted.gpg.d/key.gpg
Download the key directly from the repository. Many repositories have instructions for adding their key. For example: curl -fsSL https://example.com/gpg.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/example.gpg

This is the recommended modern method. It downloads the key directly from the source and stores it in the new per-repository keyring location.
Update the package list after fixing the key. Run: sudo apt update to confirm the error is gone and the repository is now trusted.

If apt update completes without GPG errors, the key was successfully imported.
Remove a repository if the key cannot be fixed. If you cannot find the correct key and the repository is not essential, remove it: sudo add-apt-repository --remove [repository-url] then: sudo apt update

Keeping a repository you cannot verify is a minor security risk. It is better to remove it than to bypass the GPG check.

When to Call a Professional

GPG key errors are fixable by any Linux user. Never use --allow-unauthenticated to bypass GPG verification permanently — this defeats the security system. If you are unsure about a repository's legitimacy, do not add it.

Frequently Asked Questions

What is a GPG key and why does Linux use them for packages?

GPG (GNU Privacy Guard) keys are used to digitally sign packages. When a developer creates a package, they sign it with their private key. Your system checks the signature using the developer's public key before installing. This ensures the package came from the expected developer and was not tampered with.

Is it safe to use apt-get --allow-unauthenticated?

No — using --allow-unauthenticated bypasses the security check that GPG keys provide. An attacker who can modify your network traffic could inject malicious packages. Only use this flag as a temporary measure while you find and import the correct key. Never add it to a script or configuration permanently.

Why did a repository that worked before suddenly show a GPG error?

GPG keys expire, and repository maintainers occasionally rotate their keys. When a key expires or changes, you need to import the new one. Usually the repository's website or documentation has instructions for updating the key. The Ubuntu and Debian package managers will sometimes suggest the exact command needed.