🐶
Terraform

Fix: HashiCorp Apt Repo GPG Key Error on Ubuntu Bionic

By Filip on 10/08/2024

Fix the "GPG error: https://apt.releases.hashicorp.com bionic InRelease: The following signatures couldn't be verified because the public key is not available" error message and successfully install HashiCorp products on your Ubuntu system.

Fix: HashiCorp Apt Repo GPG Key Error on Ubuntu Bionic

Table of Contents

Introduction

You're encountering a "NO_PUBKEY" error when trying to install or update HashiCorp packages, right? This means your system doesn't recognize the digital signature on the package, indicating a potential security risk. Don't worry, this is usually a simple fix related to HashiCorp's routine key rotation. Here's a step-by-step guide to resolve this:

Step-by-Step Guide

The issue arises from a mismatch between your system's GPG key database and the HashiCorp repository's signing keys. This typically happens after HashiCorp rotates their signing keys for security. To resolve this:

  1. Identify the problematic key: The error message will usually indicate the missing key ID (e.g., NO_PUBKEY AA16FCBCA621E701).
  2. Download the new key: Visit the HashiCorp website or their repository's documentation to find the most up-to-date GPG key fingerprint.
  3. Add the key to your system: Use the wget command to download the key file (usually ending in .asc) and then use sudo apt-key add <key_file.asc> to add it to your system's trusted keys.
  4. Update your package lists: Run sudo apt update to refresh your package lists and incorporate the changes.

If the issue persists, double-check that you've downloaded the correct key and that there are no typos in the commands. You can also try removing and re-adding the HashiCorp repository to ensure you have the latest configuration.

Code Example

This guide provides a solution for resolving GPG key errors encountered when using HashiCorp repositories. The error message typically indicates a missing key on the system. To fix this, download the HashiCorp GPG key, add it to your system, and update your package lists. If the issue persists, try removing and re-adding the HashiCorp repository to your package manager's sources list. Remember to verify the GPG key fingerprint from official sources before adding it and adjust the commands based on your operating system.

Let's assume the error message you received is:

gpg: key AA16FCBCA621E701: The key is not certified with a trusted signature

This indicates that the key with ID AA16FCBCA621E701 is missing from your system. Here's how to fix it:

1. Download the new key:

wget -O hashicorp.asc https://www.hashicorp.com/static/gpg/hashicorp.asc 
# Replace the URL with the actual key file location from HashiCorp's documentation

2. Add the key to your system:

sudo apt-key add hashicorp.asc

3. Update your package lists:

sudo apt update

4. (Optional) Remove and re-add the HashiCorp repository:

If the issue persists, you can try removing and re-adding the HashiCorp repository.

First, identify the repository line in your sources.list:

grep hashicorp /etc/apt/sources.list

Then, comment out the line by adding a # at the beginning. For example:

# deb [arch=amd64] https://releases.hashicorp.com focal main

Finally, update your package lists, uncomment the line, and update again:

sudo apt update
# Remove the # from the beginning of the HashiCorp repository line
sudo apt update

Important Notes:

  • Always verify the GPG key fingerprint against the information provided on HashiCorp's official website or documentation before adding it to your system.
  • Replace placeholders like <key_file.asc> and URLs with the actual values from your specific situation.
  • This example uses apt, which is the package manager for Debian-based systems like Ubuntu. If you're using a different distribution, adjust the commands accordingly.

Additional Notes

  • Understanding the Problem: The "NO_PUBKEY" error arises because your system is trying to verify the authenticity of the HashiCorp package you're downloading using GPG (GNU Privacy Guard), a cryptographic tool. When HashiCorp rotates their signing keys, your system no longer recognizes the new signature, causing the error.
  • Security Implications: GPG signatures are crucial for ensuring that the software you download is actually from HashiCorp and hasn't been tampered with. Never disable GPG verification to avoid the error, as this would leave your system vulnerable.
  • Key Rotation Frequency: HashiCorp, like many security-conscious organizations, periodically rotates their GPG keys. This is a standard security practice to mitigate risks associated with compromised keys.
  • Finding the Correct Key: Always obtain the GPG key fingerprint and download the key file from HashiCorp's official sources. Relying on third-party websites or forums for this information could compromise your security.
  • Troubleshooting:
    • Firewall/Proxy Issues: If you're behind a firewall or proxy, ensure that your system can connect to the HashiCorp repository and download the key file.
    • Key Server Issues: In rare cases, public key servers might experience downtime. If you suspect this, try again later or use a different key server.
    • Alternative to wget: If you don't have wget installed, you can use curl -O <key_file_url> to download the key file.
  • Keeping Your System Updated: Regularly updating your system and packages, including running sudo apt update frequently, can help prevent these issues as it ensures you have the latest GPG keys.
  • Additional Resources:
    • HashiCorp Documentation: Always refer to the official HashiCorp documentation for your specific product for the most up-to-date instructions and troubleshooting tips.
    • GPG Documentation: For a deeper understanding of GPG and key management, consult the official GPG documentation.

Summary

This document outlines the steps to resolve GPG key errors encountered when interacting with HashiCorp repositories. These errors typically occur due to a mismatch between your system's GPG key database and the HashiCorp repository's signing keys, often after HashiCorp rotates their keys for security.

Step Action Details
1. Identify the Problematic Key Examine the error message. The error message will usually specify the missing key ID (e.g., NO_PUBKEY AA16FCBCA621E701).
2. Download the New Key Obtain the updated key. Visit the HashiCorp website or their repository's documentation to find the latest GPG key fingerprint.
3. Add the Key to Your System Integrate the new key. Use wget to download the key file (usually ending in .asc) and then use sudo apt-key add <key_file.asc> to add it to your system's trusted keys.
4. Update Your Package Lists Refresh your package lists. Run sudo apt update to incorporate the changes.

Troubleshooting:

  • Ensure you have downloaded the correct key and there are no typos in the commands.
  • Try removing and re-adding the HashiCorp repository to ensure you have the latest configuration.

Conclusion

By following these steps, you can effectively resolve GPG key errors and ensure the integrity of the HashiCorp packages you install. Remember to prioritize security by always verifying GPG key fingerprints and obtaining software from trusted sources. If you encounter persistent issues, consult the official HashiCorp documentation or seek assistance from their support channels.

References

Were You Able to Follow the Instructions?

😍Love it!
😊Yes
😐Meh-gical
😞No
🤮Clickbait