The apt package manager cannot verify packages from a repository because the GPG public key is missing from your system. This occurs when adding third-party repositories without properly adding their signing keys. Adding the missing key resolves the issue and allows secure package installation.
APT uses GPG (GNU Privacy Guard) cryptographic keys to verify that packages come from legitimate sources and haven't been tampered with. When you add a third-party repository (PPA or external source) to your system, you must also add its public GPG key so apt can verify package signatures. The "NO_PUBKEY" error means apt found a repository configured to use a specific key ID, but that key is not installed on your system. Without the key, apt cannot verify package authenticity and refuses to install packages as a security precaution. The W: prefix indicates this is a warning, not a fatal errorβapt will still continue but won't use packages from that repository.
When you run sudo apt update, look for the GPG error line that shows "NO_PUBKEY" followed by a 16-character hexadecimal string. This is the key ID you need to import:
sudo apt updateExample output:
W: GPG error: https://ppa.launchpad.net/some-ppa Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 40976EAF437D05B5In this example, 40976EAF437D05B5 is the key ID you need to import.
For newer systems, use gpg to retrieve and export the key directly to the trusted keyrings directory:
sudo gpg --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5
sudo gpg --export 40976EAF437D05B5 | sudo tee /etc/apt/trusted.gpg.d/imported-key.gpg > /dev/nullReplace 40976EAF437D05B5 with your actual key ID. Replace imported-key.gpg with a descriptive name if you prefer (e.g., launchpad-ppa-key.gpg).
This method stores each repository's key separately in /etc/apt/trusted.gpg.d/, which is more secure than the deprecated apt-key approach.
If you're on Ubuntu 18.04 or Debian 10, you can use the apt-key command directly:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5Note: This method is deprecated but still works on older systems. If you see a warning about apt-key being deprecated, it's safe to ignore it for quick fixes on older distributions.
List the imported keys to confirm the key ID is now installed:
sudo apt-key listOr for the modern method, check the trusted.gpg.d directory:
ls -la /etc/apt/trusted.gpg.d/You should see the key ID listed with the repository information.
After importing the key, run apt update again to verify the GPG error is resolved:
sudo apt updateThe error message should no longer appear for that repository. The command will complete successfully with that repository's packages now available for installation.
If the key import fails with "No public key found," the keyserver may be temporarily unavailable. Try an alternative keyserver like hkp://keyserver.ubuntu.com:80 or wait a few minutes before retrying. For custom PPAs, check the PPA's documentation or GitHub repository for the correct key ID or setup instructions, as some maintainers provide alternative key distribution methods. If you trust the repository but want to disable GPG verification temporarily, you can add [signed-by=/path/to/key.gpg] directly in the .sources file (modern apt format) to associate a specific key with a specific repository, providing fine-grained control over which repositories require signature verification.
E: Could not connect to proxy server
Could not connect to proxy server
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt
E: The value 'value' is invalid for APT::Default-Release
How to fix invalid APT::Default-Release value in APT
dpkg: error: unable to create new file 'path': Permission denied
How to fix dpkg permission denied errors in APT
subprocess installed post-removal script returned error exit status 1
How to fix "subprocess installed post-removal script returned error exit status 1" in APT