This error occurs when apt cannot verify GPG signatures for package repositories because a required GPG key is missing, expired, or outdated. It prevents package updates and installations.
The apt package manager uses GPG (GNU Privacy Guard) cryptographic keys to verify that packages come from trusted repositories. When apt-key subprocess fails, it means the system cannot authenticate the repository's signature. This typically happens because: (1) the GPG key for a repository has expired or been rotated, (2) the key was never imported into the system, (3) the key file is corrupted or inaccessible, or (4) you're using an outdated or unsupported key management method (apt-key is deprecated as of Ubuntu 20.10/Debian 11).
Run sudo apt update with verbose output to identify which repository is failing:
sudo apt update 2>&1 | grep -i "apt-key\|signature\|error"This will show you which PPA or repository is causing the GPG verification failure.
If you're using Kali Linux, Kali periodically rotates its archive signing key. Download and install the new key:
sudo curl -fsSL https://archive.kali.org/archive-key.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/kali-archive-keyring.gpgThen retry sudo apt update.
If the error is from a third-party PPA, remove and re-add it:
sudo add-apt-repository --remove ppa:username/ppaname
sudo add-apt-repository ppa:username/ppanameThe add-apt-repository command will automatically fetch and install the required GPG key.
For repositories not managed by add-apt-repository, download the key using gpg (not apt-key):
wget -nc https://example.com/key.asc
cat key.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/repository-name.gpg > /dev/nullThen update your sources.list entry to reference the key:
echo "deb [signed-by=/etc/apt/trusted.gpg.d/repository-name.gpg] http://repository.example.com/apt focal main" | sudo tee /etc/apt/sources.list.d/repository.listAfter updating keys, reconfigure the package manager:
sudo dpkg --configure -a
sudo apt install --fix-broken
sudo apt updateThese commands repair any corrupted package database state left by the failed key verification.
If a specific PPA is causing persistent issues, disable it temporarily:
sudo add-apt-repository --remove ppa:username/ppaname
# Or remove from sources.list.d if using manual entry:
sudo rm /etc/apt/sources.list.d/repository.listThen retry sudo apt update. You can re-add the repository once its key issues are resolved.
The apt-key tool is deprecated as of Ubuntu 20.10 and Debian 11 and will be removed in future versions. The modern approach is to store GPG keys in /etc/apt/trusted.gpg.d/ as binary .gpg files and reference them explicitly in sources.list entries using the [signed-by=] option. This improves security by limiting key trust to specific repositories rather than globally. If you see 'apt-key is deprecated' warnings (distinct from the error), they won't block operations yet but indicate you should migrate to the modern method. For system-wide key distribution, the archive-keyring package (e.g., ubuntu-keyring, debian-archive-keyring, kali-archive-keyring) should be kept up to date as it contains current repository signing keys. If keys expire on the repository side and you cannot update archive-keyring, manually downloading and installing the new key (as shown in step 4) is the workaround.
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Sub-process /usr/bin/dpkg returned an error code (2)
How to fix "Sub-process /usr/bin/dpkg returned an error code (2)" in APT
dpkg-divert: error: rename involves overwriting 'path' with different file
How to fix dpkg-divert rename conflicts in APT
E: Sub-process /usr/bin/dpkg returned an error code (1) during kernel installation
How to fix "dpkg returned an error code (1)" in APT kernel installation
dpkg: dependency problems prevent configuration of triggers
dpkg: dependency problems prevent configuration of triggers in apt