Fix: HashiCorp Apt Repo GPG Key Error on Ubuntu Bionic

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

You're encountering a "NO_PUBKEY" error when trying to install or update HashiCorp packages, right? This means your system doesn't recognize the digital signature on the package, indicating a potential security risk. Don't worry, this is usually a simple fix related to HashiCorp's routine key rotation. Here's a step-by-step guide to resolve this:

The issue arises from a mismatch between your system's GPG key database and the HashiCorp repository's signing keys. This typically happens after HashiCorp rotates their signing keys for security. To resolve this:

1. Identify the problematic key: The error message will usually indicate the missing key ID (e.g., NO_PUBKEY AA16FCBCA621E701).
2. Download the new key: Visit the HashiCorp website or their repository's documentation to find the most up-to-date GPG key fingerprint.
3. Add the key to your system: Use the wget command to download the key file (usually ending in .asc) and then use sudo apt-key add <key_file.asc> to add it to your system's trusted keys.
4. Update your package lists: Run sudo apt update to refresh your package lists and incorporate the changes.

If the issue persists, double-check that you've downloaded the correct key and that there are no typos in the commands. You can also try removing and re-adding the HashiCorp repository to ensure you have the latest configuration.

This guide provides a solution for resolving GPG key errors encountered when using HashiCorp repositories. The error message typically indicates a missing key on the system. To fix this, download the HashiCorp GPG key, add it to your system, and update your package lists. If the issue persists, try removing and re-adding the HashiCorp repository to your package manager's sources list. Remember to verify the GPG key fingerprint from official sources before adding it and adjust the commands based on your operating system.

Let's assume the error message you received is:

gpg: key AA16FCBCA621E701: The key is not certified with a trusted signature

This indicates that the key with ID AA16FCBCA621E701 is missing from your system. Here's how to fix it:

1. Download the new key:

wget -O hashicorp.asc https://www.hashicorp.com/static/gpg/hashicorp.asc 
# Replace the URL with the actual key file location from HashiCorp's documentation

2. Add the key to your system:

sudo apt-key add hashicorp.asc

3. Update your package lists:

sudo apt update

4. (Optional) Remove and re-add the HashiCorp repository:

If the issue persists, you can try removing and re-adding the HashiCorp repository.

First, identify the repository line in your sources.list:

grep hashicorp /etc/apt/sources.list

Then, comment out the line by adding a # at the beginning. For example:

# deb [arch=amd64] https://releases.hashicorp.com focal main

Finally, update your package lists, uncomment the line, and update again:

sudo apt update
# Remove the # from the beginning of the HashiCorp repository line
sudo apt update

Important Notes:

• Always verify the GPG key fingerprint against the information provided on HashiCorp's official website or documentation before adding it to your system.
• Replace placeholders like <key_file.asc> and URLs with the actual values from your specific situation.
• This example uses apt, which is the package manager for Debian-based systems like Ubuntu. If you're using a different distribution, adjust the commands accordingly.

• Understanding the Problem: The "NO_PUBKEY" error arises because your system is trying to verify the authenticity of the HashiCorp package you're downloading using GPG (GNU Privacy Guard), a cryptographic tool. When HashiCorp rotates their signing keys, your system no longer recognizes the new signature, causing the error.
• Security Implications: GPG signatures are crucial for ensuring that the software you download is actually from HashiCorp and hasn't been tampered with. Never disable GPG verification to avoid the error, as this would leave your system vulnerable.
• Key Rotation Frequency: HashiCorp, like many security-conscious organizations, periodically rotates their GPG keys. This is a standard security practice to mitigate risks associated with compromised keys.
• Finding the Correct Key: Always obtain the GPG key fingerprint and download the key file from HashiCorp's official sources. Relying on third-party websites or forums for this information could compromise your security.
• Troubleshooting:
  • Firewall/Proxy Issues: If you're behind a firewall or proxy, ensure that your system can connect to the HashiCorp repository and download the key file.
  • Key Server Issues: In rare cases, public key servers might experience downtime. If you suspect this, try again later or use a different key server.
  • Alternative to wget: If you don't have wget installed, you can use curl -O <key_file_url> to download the key file.
• Keeping Your System Updated: Regularly updating your system and packages, including running sudo apt update frequently, can help prevent these issues as it ensures you have the latest GPG keys.
• Additional Resources:
  • HashiCorp Documentation: Always refer to the official HashiCorp documentation for your specific product for the most up-to-date instructions and troubleshooting tips.
  • GPG Documentation: For a deeper understanding of GPG and key management, consult the official GPG documentation.

This document outlines the steps to resolve GPG key errors encountered when interacting with HashiCorp repositories. These errors typically occur due to a mismatch between your system's GPG key database and the HashiCorp repository's signing keys, often after HashiCorp rotates their keys for security.

Troubleshooting:

• Ensure you have downloaded the correct key and there are no typos in the commands.
• Try removing and re-adding the HashiCorp repository to ensure you have the latest configuration.

By following these steps, you can effectively resolve GPG key errors and ensure the integrity of the HashiCorp packages you install. Remember to prioritize security by always verifying GPG key fingerprints and obtaining software from trusted sources. If you encounter persistent issues, consult the official HashiCorp documentation or seek assistance from their support channels.

• GPG error: https://apt.releases.hashicorp.com bionic InRelease: The ... | Jan 27, 2023 ... Err:5 https://apt.releases.hashicorp.com bionic InRelease The following signatures couldn't be verified because the public key is not available: ...
• [Resolved] Debian Repo - Apt Update Fails, New GPG Keys ... | Update: Mostly resolved. Main security page lists both updated and rotated key fingerprints, PRs in place to update remaining docs. Just pull the new keys, as per the regular installation docs for your specific tool. I was running my apt update this morning (as one does on Mondays) and got a complete failure due to the the Debian GPG signing key rotation for Hashicorp. When I pulled the latest key from Hashicorp servers, I could not find any reference to the fingerprint in the docs. Here is...
• ubuntu - NO_PUBKEY for apt.releases.hashicorp.com in apt - Stack ... | Feb 6, 2023 ... ... following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701. How can I fix this? ubuntu ...
• Bad signature for https://apt.releases.hashicorp.com/dists/focal ... | I’m trying to mirror the hashicorp apt repository with debmirror, but I get the following error: [GNUPG:] BADSIG DA418C88A3219F7B HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com [GNUPG:] VERIFICATION_COMPLIANCE_MODE 23 gpgv: Signature made Wed Jan 4 15:38:21 2023 UTC gpgv: using RSA key DA418C88A3219F7B gpgv: BAD signature from "HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com" .temp/.tmp/dists/focal/InRelease si...
• root - When I run sudo apt-get update I get "An error occured during ... | Feb 3, 2023 ... GPG error: https://apt.releases.hashicorp.com focal InRelease ... verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701.
• The repository 'https://apt.releases.hashicorp.com focal Release ... | Hello, Trying to install vagrant on Ubuntu 20 following these instructions, but getting the error in title. Does Hashicorp no longer maintain a repo for Ubuntu 20 (focal)?
• apt - "GPG error: Release: The following signatures were invalid ... | May 4, 2012 ... This message is displaying because the gpg key for that repository is missing in your apt-key database. To import the key, open a terminal ...
• Fix apt-get update “the following signatures couldn't be verified ... | … W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ...
• Keys are gone, how can I fix it? : r/pop_os | Posted by u/maioni - 7 votes and 1 comment