ubuntu keys missing

[Robert Jacobson]

I have been successfully using aptly for several months to do quarterly mirroring/patching; i.e. the last time I used aptly successfully was ~3 months ago.  On Friday when I tried to update my mirrors, I received an error regarding missing keys for the Ubuntu repos (NOT my local aptly GPG key).  I tried updating my keys but the gpg command says my keys are up-to-date ("No change").  

I'm running the latest aptly version (1.5.0) on focal.

1. aptly@gs483-aptly:~$ aptly mirror update focal-updates
2. Downloading http://us.archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease...
3. gpgv: Signature made Fri 21 Apr 2023 01:25:32 PM UTC using RSA key ID C0B21F32
4. gpgv: [don't know]: invalid packet (ctb=00)
5. gpgv: keydb_search failed: invalid packet
6. gpgv: Can't check signature: public key not found
7. gpgv: Signature made Fri 21 Apr 2023 01:25:32 PM UTC using RSA key ID 991BC93C
8. gpgv: [don't know]: invalid packet (ctb=00)
9. gpgv: keydb_search failed: invalid packet
10. gpgv: Can't check signature: public key not found
11. ​
12. Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:
13. ​
14. gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 3B4FE6ACC0B21F32 871920D1991BC93C
15. ​
16. Sometimes keys are stored in repository root in file named Release.key, to import such key:
17. ​
18. wget -O - https://some.repo/repository/Release.key | gpg --no-default-keyring --keyring trustedkeys.gpg --import
19. [... similar errors omitted ... ]
20. ​
21. ERROR: unable to update: verification of detached signature failed: exit status 2
22. aptly@gs483-aptly:~$ gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys 3B4FE6ACC0B21F32 871920D1991BC93C
23. gpg: keyserver receive failed: Server indicated a failure
24. ​
25. aptly@gs483-aptly:~$ gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 871920D1991BC93C
26. gpg: key 871920D1991BC93C: "Ubuntu Archive Automatic Signing Key (2018) <ftpm...@ubuntu.com>" not changed
27. gpg: key 3B4FE6ACC0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpm...@ubuntu.com>" not changed
28. gpg: Total number processed: 2
29. gpg: unchanged: 2

[Chindo Kae]

The keys aren't missing.  You can use gpg to verify that and gpgv to verify that you can validate the Release file using the Release.gpg signature file.

gpg --list-keys --keyring  trustedkeys.gpg --verbose

gpgv --keyring=/root/.gnupg/trustedkeys.gpg Release.gpg Release

Your default Ubuntu keyring should be /root/.gnupg/pubring.kbx

It really doesn't matter what keyring you give it - it uses trustedkeys.gpg by default and ignores any instructions to the contrary.

I've spent the last several hours working with ChatGPT to troubleshoot this problem on Ubuntu Focal.   I have tried both gpg1 and gpg2, gpgv1 and gpgv2.  I have watched aptly download the keys to /tmp but it never does anything with them.  It won't even create the rootDir.   Nothing I tried made it work, save for turning off checking.  ("gpgDisableVerify": true, in ~/.aptly.conf)

It appears that crypto in both version 1.50 and the older version in the Ubuntu repo is broken.

After turning off crypto verification I finally got the mirrors created and it download exactly 500 .deb files and quit. 

This version is limited to 500, either by design, a bug, or maybe by trying to use and external REST service that limits you to 500.

[Chindo Kae]

There was an answer below that I missed.  Just change the provider to gpg2.

It does ignore these setting:

 "gpgvPath": "/usr/bin/gpgv1",
  "gpgPath": "/usr/bin/gpg1",

Even when you set "gpgProvider": "external",

It seems to ignore a number of things you pass to it.....

On Monday, April 24, 2023 at 8:16:31 AM UTC-4 Robert Jacobson wrote: