Aptly - Missing keys in trusted keyring for Debian Security repository

By xngo on April 4, 2020

I was trying to create a mirror of the Debian security repository using Aptly. I got the following missing keys in my trusted keyring message:

aptly mirror create -architectures=amd64 buster-security-main http://security.debian.org/ buster/updates main
Downloading http://security.debian.org/dists/buster/updates/InRelease...
gpgv: can't allocate lock for '/root/.gnupg/trustedkeys.gpg'
gpgv: Signature made Sat 04 Apr 2020 01:46:28 PM EDT
gpgv: using RSA key 379483D8B60160B155B372DDAA8E81B4331F7F50
gpgv: Can't check signature: No public key
gpgv: Signature made Sat 04 Apr 2020 01:46:28 PM EDT
gpgv: using RSA key 5237CEEEF212F3D51C74ABE0112695A0E562B32A
gpgv: Can't check signature: No public key
Looks like some keys are missing in your trusted keyring, you may consider importing them from keyserver:
gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys AA8E81B4331F7F50 112695A0E562B32A

Even I ran the suggested command, I got Connection timed out.

gpg --no-default-keyring --keyring trustedkeys.gpg --keyserver pool.sks-keyservers.net --recv-keys AA8E81B4331F7F50 112695A0E562B32A
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'

gpg: keyserver receive failed: Connection timed out

Solution

It looks like the OpenPGP HTTP Keyserver Protocol (HKP) port is blocked. So, I forced it to use port 80.

gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys AA8E81B4331F7F50 112695A0E562B32A
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg: key 4DFAB270CAA96DFA: public key "Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: key EDA0D2388AE22BA9: public key "Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>" imported
gpg: Total number processed: 2
gpg:               imported: 2

Now, I have to fix the issue of Can't check signature: No public key. I exported the key to my local trustedkeys to make it trusted:

gpg --no-default-keyring -a --export AA8E81B4331F7F50 112695A0E562B32A \
    | gpg --no-default-keyring --keyring /etc/apt/trusted.gpg --import -
aptly, Debian

About the author

Xuan Ngo is the founder of OpenWritings.net. He currently lives in Montreal, Canada. He loves to write about programming and open source subjects.