GPG error : The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701

[Rajamohan-rj]

Terraform Version

Terraform v1.3.7

Machine details:

  Operating System: Ubuntu 20.04.5 LTS
            Kernel: Linux 5.14.0-1056-oem
      Architecture: x86-64

Terraform Configuration Files

NA

Debug Output

NA

Expected Behavior

Followed this official documentation - (https://www.hashicorp.com/official-packaging-guide)

Actual Behavior

Error is occurring on sudo apt update step

           W: GPG error: https://apt.releases.hashicorp.com focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
           E: The repository 'https://apt.releases.hashicorp.com focal InRelease' is not signed.
           N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Steps to Reproduce

Followed this official documentation - (https://www.hashicorp.com/official-packaging-guide)

Even fingerprint verification displayed the exact value as mentioned in the page.

    osuser123@xyz:~# gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

    /usr/share/keyrings/hashicorp-archive-keyring.gpg
    -------------------------------------------------
    pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
    798A EC65 4E5C 1542 8C8E  42EE AA16 FCBC A621 E701

Added the hashicorp repo

     osuser123@xyz:~# cat /etc/apt/sources.list.d/hashicorp.list 
     deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com focal main

Error occurs

    osuser123@xyz:~# sudo apt update
    Get:1 https://apt.releases.hashicorp.com focal InRelease [17.1 kB]
     Err:1 https://apt.releases.hashicorp.com focal InRelease                                                                                                                                                          
     The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701         
     Reading package lists... Done      
     W: GPG error: https://apt.releases.hashicorp.com focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
     E: The repository 'https://apt.releases.hashicorp.com focal InRelease' is not signed.
     N: Updating from such a repository can't be done securely, and is therefore disabled by default.
     N: See apt-secure(8) manpage for repository creation and user configuration details.

Additional Context

No response

References

• 32572

• 31958

• https://github.com/saltstack/salt/issues/63539

[crw]

Thanks for the report!

[cs224]

It seems this is related: https://discuss.hashicorp.com/t/resolved-debian-repo-apt-update-fails-new-gpg-keys/49218/2

[pdkovacs]

How can this be worked around?

I've tried the naive solution I could come up with:

$ sudo gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701

without success.

(The keyring coming from

$ cat /etc/apt/sources.list.d/hashicorp.list 
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

)

[andy108369]

Fix:

# cat /etc/apt/sources.list.d/hashicorp.list 
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

rm /usr/share/keyrings/hashicorp-archive-keyring.gpg
curl https://apt.releases.hashicorp.com/gpg | gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg

[RayNawara]

This didn't help me. Still the same error.

[C4pt41nNRex]

I think this could solve your problem :

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701

[C4pt41nNRex]

Then, remember to execute:

sudo apt-get update

[RayNawara]

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701 Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). Executing: /tmp/apt-key-gpghome.ClG5PY66vM/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701 gpg: key AA16FCBCA621E701: "HashiCorp Security (HashiCorp Package Signing) security+packaging@hashicorp.com" not changed gpg: Total number processed: 1 gpg: unchanged: 1 (base) ray@Rays_5900x:~$ sudo apt-get update Get:1 https://apt.releases.hashicorp.com jammy InRelease [12.9 kB] Err:1 https://apt.releases.hashicorp.com jammy InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701 Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease Get:3 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB] Hit:4 https://dl.google.com/linux/chrome/deb stable InRelease Hit:5 https://packages.cloud.google.com/apt cloud-sdk InRelease Hit:6 https://deb.nodesource.com/node_16.x jammy InRelease Hit:7 https://packages.microsoft.com/repos/edge stable InRelease Hit:8 http://archive.ubuntu.com/ubuntu jammy InRelease Hit:9 http://archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:10 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:11 https://ppa.launchpadcontent.net/redislabs/redis/ubuntu jammy InRelease Fetched 30.0 kB in 1s (38.4 kB/s) Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.releases.hashicorp.com jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701 W: Failed to fetch https://apt.releases.hashicorp.com/dists/jammy/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701 W: Some index files failed to download. They have been ignored, or old ones used instead.

[fesplugas]

These are the changes I made to make my scripts work again:

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

[RayNawara]

Thanks big time! That fixed it. I've been struggling with this for a few months! :-)

[mahadzar81]

works for me sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701

[Olive-harobed]

@fesplugas this worked for me, thanks a lot

[dimaqq]

> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701
Executing: /tmp/apt-key-gpghome.vwsHNbF8HS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701
gpg: keyserver receive failed: Server indicated a failure

So... 🤷🏻

I've commented hashicorp out in /etc/apt/sources.list for now 🙃

[abobakrahmed]

still showing this issues The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DA418C88A3219F7B @fesplugas after execute this commands curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

[alflanagan]

Related message from Ubuntu 22.10 (kinetic):

E: The repository 'https://apt.releases.hashicorp.com $(lsb_release -cs) Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I've found a workaround by updating /etc/apt/sources.list.d/hashicorp.list to the following (must be all on one line, this comment gets wrapped):

deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg allow-insecure=yes] https://apt.releases.hashicorp.com "$(lsb_release -cs)" main

Note the documentation recommends against the allow-insecure=yes option. (See man apt-secure)

[radistao]

Use HasiCorp Official Packaging Guide

Download the signing key to a new keyring

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg

Verify the key's fingerprint

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

The fingerprint must match 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701, which can also be verified at https://www.hashicorp.com/security under "Linux Package Checksum Verification". Please note that there was a previous signing key used prior to January 23, 2023, which had the fingerprint E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B. Details about this change are available on the status page: https://status.hashicorp.com/incidents/fgkyvr1kwpdh, https://status.hashicorp.com/incidents/k8jphcczkdkn.

[keisari-ch]

root@server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

root@server:~# wget -q -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null

root@server:~# ls -l /usr/share/keyrings/hashicorp-archive-keyring.gpg
-rw------- 1 root root 2879 Mar 10 16:56 /usr/share/keyrings/hashicorp-archive-keyring.gpg

root@server:~# gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
      798A EC65 4E5C 1542 8C8E  42EE AA16 FCBC A621 E701
uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub   rsa4096 2023-01-10 [S] [expires: 2028-01-09]

root@server:~# echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

root@server:~# apt update
Hit:1 http://azure.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
Hit:5 http://azure.archive.ubuntu.com/ubuntu jammy-security InRelease
Get:6 https://apt.releases.hashicorp.com jammy InRelease [12.9 kB]
Err:6 https://apt.releases.hashicorp.com jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
Reading package lists... Done
W: GPG error: https://apt.releases.hashicorp.com jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
E: The repository 'https://apt.releases.hashicorp.com jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

😟

EDIT :

chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg

All good now.

[wasuaje]

These are the changes I made to make my scripts work again:

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

This worked for me!

[billyjsubs]

These are the changes I made to make my scripts work again:

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

This worked for me!

SNAP!!!!

[Mullinski]

Use HasiCorp Official Packaging Guide

Download the signing key to a new keyring

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg

Verify the key's fingerprint

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint

The fingerprint must match 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701, which can also be verified at https://www.hashicorp.com/security under "Linux Package Checksum Verification". Please note that there was a previous signing key used prior to January 23, 2023, which had the fingerprint E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B. Details about this change are available on the status page: https://status.hashicorp.com/incidents/fgkyvr1kwpdh, https://status.hashicorp.com/incidents/k8jphcczkdkn.

Total novice, this worked for me thanks!

[mamunsyuhada]

These are the changes I made to make my scripts work again:

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

worked for me

[crw]

Changing to a documentation type ticket, as it seems the https://github.com/hashicorp/terraform/issues/32622#issuecomment-1426699449 works more reliably than what we currently have documented (without comparing the two, my memory is that this matches the official packaging guide but not the "download terraform" page install instructions.)

[XSmith-Vertex]

This is still occurring. I did fix it with

Download the signing key to a new keyring wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg Verify the key's fingerprint gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint Fix permissions sudo chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg

Or as a single line wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg; gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint ; sudo chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg

[willzhang]

root@server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

root@server:~# wget -q -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null

root@server:~# ls -l /usr/share/keyrings/hashicorp-archive-keyring.gpg
-rw------- 1 root root 2879 Mar 10 16:56 /usr/share/keyrings/hashicorp-archive-keyring.gpg

root@server:~# gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
/usr/share/keyrings/hashicorp-archive-keyring.gpg
-------------------------------------------------
pub   rsa4096 2023-01-10 [SC] [expires: 2028-01-09]
      798A EC65 4E5C 1542 8C8E  42EE AA16 FCBC A621 E701
uid           [ unknown] HashiCorp Security (HashiCorp Package Signing) <security+packaging@hashicorp.com>
sub   rsa4096 2023-01-10 [S] [expires: 2028-01-09]

root@server:~# echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

root@server:~# apt update
Hit:1 http://azure.archive.ubuntu.com/ubuntu jammy InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu jammy-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu jammy-backports InRelease
Hit:4 https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
Hit:5 http://azure.archive.ubuntu.com/ubuntu jammy-security InRelease
Get:6 https://apt.releases.hashicorp.com jammy InRelease [12.9 kB]
Err:6 https://apt.releases.hashicorp.com jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
Reading package lists... Done
W: GPG error: https://apt.releases.hashicorp.com jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701
E: The repository 'https://apt.releases.hashicorp.com jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

😟

EDIT :

chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg

All good now.

This method saved me.

[devmarrie]

@XSmith-Vertex 's method worked for me too , I replaced what the docs was sharing about generating the keyring with his single line implementation. Then created the hashicorp.list file echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \ https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \ sudo tee /etc/apt/sources.list.d/hashicorp.list Finally it worked.

[SH2282000]

The only thing that really worked on Ubuntu 20.04 after following the official incomplete documentation:

chmod 644 /usr/share/keyrings/hashicorp-archive-keyring.gpg

All good now.

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint does not need to be executed with sudo privileges. If it is the case, the above command should save you.

[jonatan2m]

I run these steps and it worked for me!

[belal655]

$ sudo apt update
[sudo] password for belal: Hit:1 https://linux.teamviewer.com/deb stable InRelease Get:3 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Get:2 http://kali.download/kali kali-rolling InRelease [41.5 kB] Get:4 http://kali.download/kali kali-rolling/main amd64 Packages [19.9 MB] Err:3 http://security.ubuntu.com/ubuntu focal-security InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C Get:5 http://kali.download/kali kali-rolling/main i386 Packages [19.6 MB]
Get:6 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [47.3 MB]
Get:7 http://kali.download/kali kali-rolling/main i386 Contents (deb) [45.4 MB]
Get:8 http://kali.download/kali kali-rolling/contrib i386 Packages [104 kB]
Get:9 http://kali.download/kali kali-rolling/contrib amd64 Packages [121 kB]
Reading package lists... Done
W: GPG error: http://security.ubuntu.com/ubuntu focal-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3B4FE6ACC0B21F32 NO_PUBKEY 871920D1991BC93C E: The repository 'http://security.ubuntu.com/ubuntu focal-security InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

and what about this error?

[crw]

For the docs team: I think this needs to be reviewed with the team that maintains the Official Packaging Guide.

[benhsmith]

These are the changes I made to make my scripts work again:

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null

This worked for me!

SNAP!!!!

It looks like the problem is that Ubuntu22 requires the arch field. The docs need to be updated to reflect this.

[crw]

It looks to me like the Official Packaging Guide has been updated since this issue was filed, but the download page still has not been corrected. Will try to find an owner for this.