trustedkeys.gpg is ignored because it is not readable by user '_apt'

By xngo on July 14, 2019

Issue

With Debian 10 Buster, apt-key is deprecated. So, I copied my trustedkeys.gpg directly to /etc/apt/trusted.gpg.d/. After that, I ran apt-get update and it displayed the following error message:

Get:1 http://localhost/aptly-repo/master_buster-main buster InRelease [5655 B]
Err:1 http://localhost/aptly-repo/master_buster-main buster InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6709F753EDAC8514
Reading package lists... Done
W: http://localhost/aptly-repo/master_buster-main/dists/buster/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/trustedkeys.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://localhost/aptly-repo/master_buster-main buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6709F753EDAC8514
E: The repository 'http://localhost/aptly-repo/master_buster-main buster InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Solution

I know for a fact that my trustedkeys.gpg file contains the public key 6709F753EDAC8514. Since Debian can't read trustedkeys.gpg file as _apt user, then I simply change the permission to allow everyone to access.

chmod 755 /etc/apt/trusted.gpg.d/trustedkeys.gpg

After this, apt-get update works correctly.

Get:1 http://localhost/aptly-repo/master_buster-main buster InRelease [5655 B]
Get:2 http://localhost/aptly-repo/master_buster-main buster/main amd64 Packages [409 kB]
Fetched 415 kB in 0s (1316 kB/s)
Reading package lists... Done

About the author

Xuan Ngo is the founder of OpenWritings.net. He currently lives in Montreal, Canada. He loves to write about programming and open source subjects.