This warning occurs when APT cannot verify the GPG signature of a repository. The APT package manager uses GPG keys to verify that packages come from trusted sources. When a key is missing, expired, or changed, signature verification fails and the update is skipped.
The "An error occurred during the signature verification" warning indicates that APT encountered a problem verifying the digital signature of one or more repositories during an update. APT uses GPG (GNU Privacy Guard) keys to cryptographically verify that packages are authentic and haven't been tampered with. When APT updates your package lists, it downloads both the package metadata (Release file) and a signature file. It then uses the public key of the repository to verify that the signature matches the Release file. If this verification fails, APT cannot confirm the repository's authenticity and skips updating that repository. The warning message means your existing cached package lists will be used instead of fetching fresh ones, which could mean missing security updates or new package versions. While the system continues to function, it's important to resolve signature verification errors to ensure you receive legitimate updates.
First, get detailed information about which repositories are failing:
sudo apt updateLook at the output carefully. The error should mention specific GPG key IDs (like B7B3B788A8D3785C) or which repositories are having issues. Take note of any key IDs or repository names mentioned.
GPG signatures have validity dates. If your system clock is wrong, signature verification fails:
# Check current date and time
date
# Check if time synchronization is enabled
timedatectl statusIf the date is obviously wrong (off by years), fix it:
# Enable automatic time synchronization (recommended)
sudo timedatectl set-ntp true
# Or manually set the date (if necessary)
sudo date -s "2025-01-15 14:30:00"After correcting the date, run apt update again.
From the apt update output, identify the failing repositories. You might see error patterns like:
W: An error occurred during the signature verification. The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7B3B788A8D3785C
E: The repository 'http://ppa.launchpad.net/...' failed to verify its key.If you see a repository URL or PPA name, you can try removing it and re-adding it with its correct key. For official repositories, you may need to reinstall keyrings.
If you know the missing GPG key ID from the error message, you can fetch and add it:
# Replace KEY_ID with the actual ID from error messages (e.g., B7B3B788A8D3785C)
sudo gpg --keyserver keyserver.ubuntu.com --recv-keys B7B3B788A8D3785C
# Export the key and add it to apt's trusted keyring
sudo gpg --export --armor B7B3B788A8D3785C | sudo apt-key add -If the default keyserver is slow or unreachable, try alternatives:
# Try a different keyserver
sudo gpg --keyserver hkp://keys.gnupg.net:80 --recv-keys B7B3B788A8D3785C
# Or use the Ubuntu keyserver explicitly
sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys B7B3B788A8D3785CAfter adding the key, run sudo apt update again to verify it worked.
For official Ubuntu/Debian repositories, the system keyrings may need updating:
# Update the main Debian archive keyring
sudo apt install debian-archive-keyring
# Update Ubuntu-specific keyrings
sudo apt install ubuntu-keyring
# For older Ubuntu versions, also update
sudo apt install debian-keyringAfter updating keyrings:
sudo apt updateThis is especially important if you're getting errors about official Ubuntu or Debian repositories.
The deprecated apt-key command is being phased out. For personal package archives (PPAs) and third-party repos, use the signed-by method:
First, find your repo file:
# List all repository sources
ls /etc/apt/sources.list.d/
# Check main sources
cat /etc/apt/sources.listIf you find a repo entry (for example, a PPA), download its key and add signed-by:
# Download the GPG key to a file
curl -fsSL https://ppa.launchpad.net/example/ppa/ubuntu/KEY.gpg | sudo gpg --dearmor -o /usr/share/keyrings/ppa-example.gpg
# Edit the repository source file
sudo nano /etc/apt/sources.list.d/example-ppa-list.sourcesAdd the signed-by parameter pointing to the key file:
Types: deb
URIs: http://ppa.launchpad.net/example/ppa/ubuntu/
Suites: jammy
Components: main
Signed-By: /usr/share/keyrings/ppa-example.gpgSave and test:
sudo apt updateIf a repository continues to cause signature errors and you don't need it, you can remove it:
# For repositories in sources.list.d/
sudo rm /etc/apt/sources.list.d/problematic-repo.list
# For repositories in the main sources.list file
sudo nano /etc/apt/sources.list
# Remove or comment out the problematic lines (lines starting with 'deb' or 'deb-src')After removing the repository:
sudo apt updateThis allows apt update to complete successfully. You can always re-add the repository later with the correct GPG key.
Sometimes corrupted cache files can cause signature verification to fail:
# Clean apt cache
sudo apt clean
# Remove and recreate package list cache
sudo rm -rf /var/lib/apt/lists/*
sudo mkdir -p /var/lib/apt/lists/partial
# Try updating again
sudo apt updateThis forces apt to re-download and re-verify all package lists. It's safe but will take longer the first time.
Key server pool improvements: Ubuntu's keyserver.ubuntu.com is a pool that routes to multiple servers. If you're having keyserver timeouts, you can temporarily bypass the pool:
sudo gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys KEY_IDDebian vs Ubuntu key differences: Debian uses debian-archive-keyring while Ubuntu uses ubuntu-keyring. If you're mixing distributions (like using Debian repos on Ubuntu), you may need both installed.
Perfect Forward Secrecy and rotation: Major distributions rotate their signing keys periodically. If apt suddenly complains about keys that previously worked, the distribution likely rotated keys. Check the official repository announcements.
Offline systems: If your system cannot reach keyservers, you'll need to manually import keys on another connected system and transfer them:
# On a connected system, export a key
gpg --export --armor KEY_ID > key.gpg
# Transfer key.gpg to offline system, then import it
sudo apt-key add key.gpgProxied networks: If you're behind a corporate proxy that does SSL inspection, gpg might fail to reach keyservers. You may need to configure apt to use the proxy:
sudo nano /etc/apt/apt.conf.d/proxy.confAdd:
Acquire::http::Proxy "http://proxy.company.com:8080";
Acquire::https::Proxy "http://proxy.company.com:8080";Transition to --no-check-valid-until: As a temporary workaround (not recommended for production), you can skip date validation:
# Only use this temporarily while investigating date issues
sudo apt -o Acquire::Check-Valid-Until=false updateE: Could not connect to proxy server
Could not connect to proxy server
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt
E: The value 'value' is invalid for APT::Default-Release
How to fix invalid APT::Default-Release value in APT
dpkg: error: unable to create new file 'path': Permission denied
How to fix dpkg permission denied errors in APT
subprocess installed post-removal script returned error exit status 1
How to fix "subprocess installed post-removal script returned error exit status 1" in APT