The "repository is not signed" error occurs when APT cannot authenticate packages from a third-party repository because it lacks the required GPG public key. Fix it by importing the missing GPG key or trusting the repository.
When you add a third-party repository to your Debian or Ubuntu system, APT uses cryptographic GPG keys to verify that packages are authentic and haven't been tampered with. If the repository's public key isn't in your system's trusted keyring, APT refuses to download packages from it as a security measure. This error typically appears when: - You added a PPA or custom repository without adding its GPG key - The repository's signing key has been rotated and your system hasn't been updated - The key is expired or no longer trusted APT treats unsigned repositories as a security risk by default, which protects your system from potentially malicious packages.
When you run sudo apt update, look for the error output that mentions the repository URL and may include a NO_PUBKEY error with a key ID (a long hexadecimal string).
Example:
W: GPG error: http://repository.example.com focal Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1234567890ABCDEFNote the key ID (in this example: 1234567890ABCDEF). If the output doesn't show NO_PUBKEY, the repository's source list entry may need investigation.
The recommended approach for modern systems is to import the key directly to the repository's keyring file instead of the deprecated apt-key method.
First, retrieve the key from a keyserver:
sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys YOUR_KEY_IDReplace YOUR_KEY_ID with the actual key ID from the error message. Then export it to a dedicated keyring file:
sudo gpg --export YOUR_KEY_ID | sudo tee /etc/apt/trusted.gpg.d/repository-name.gpg > /dev/nullReplace repository-name with a descriptive name for the repository. Finally, update your package lists:
sudo apt updateThis method keeps each repository's keys separate and secure.
Some repositories provide a Signed-By directive that you can add to your sources list. Edit your repository file:
sudo nano /etc/apt/sources.list.d/repository-name.listUpdate the line to include the GPG key URL:
deb [signed-by=/etc/apt/trusted.gpg.d/repository-name.gpg] http://repository.url jammy mainThen download and install the key:
sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys YOUR_KEY_ID
sudo gpg --export YOUR_KEY_ID | sudo tee /etc/apt/trusted.gpg.d/repository-name.gpg > /dev/null
sudo apt updateThis approach is more secure because it ties the key directly to the repository entry.
After importing the key, verify that the error is resolved:
sudo apt updateYou should see output indicating that the repository was processed successfully. Look for lines like:
Get:XX http://repository.example.com focal Release [XXX B]
Get:XX http://repository.example.com focal Release.gpg [XXX B]If you still see errors, double-check the key ID and ensure the keyserver is reachable.
If the error is from an official Debian or Ubuntu repository, the issue may be that your system's archive keyring is outdated. Update the keyring package:
sudo apt install debian-archive-keyring
# OR for Ubuntu
sudo apt install ubuntu-archive-keyringThis installs the latest official signing keys for repository authentication.
If you absolutely need to proceed temporarily while troubleshooting, you can install packages without GPG verification using:
sudo apt-get install -y package-name --allow-unauthenticatedOr for a full update:
sudo apt-get update --allow-insecure-repositoriesWarning: This bypasses security checks. Use only temporarily for troubleshooting, never as a permanent solution. Always import the GPG key instead (steps 2-4 above).
APT Trusted Key Storage: Modern Debian/Ubuntu (11+) stores individual repository keys in /etc/apt/trusted.gpg.d/ instead of the deprecated /etc/apt/trusted.gpg file. This per-repository approach is more secure and maintainable.
Keyserver Selection: The hkp://keyserver.ubuntu.com:80 keyserver is commonly used but may occasionally be unavailable. Alternatives include pgp.mit.edu or keys.openpgp.org. If one fails, try another.
Expired Keys: Some repositories use keys that expire. If importing a key still doesn't work, check if the key has expired. You may need to remove the old key and import a newer one, or contact the repository maintainer.
SELinux/AppArmor: On systems with mandatory access controls (SELinux on Fedora/RHEL, AppArmor on Ubuntu/Debian), ensure the keyring files have correct permissions (644) and ownership (root:root).
CI/CD Environments: In automated deployments, consider adding the GPG key during container/VM setup or using repository mirrors that don't require additional key verification.
E: Could not connect to proxy server
Could not connect to proxy server
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt
E: The value 'value' is invalid for APT::Default-Release
How to fix invalid APT::Default-Release value in APT
dpkg: error: unable to create new file 'path': Permission denied
How to fix dpkg permission denied errors in APT
subprocess installed post-removal script returned error exit status 1
How to fix "subprocess installed post-removal script returned error exit status 1" in APT