Can’t Check Signature Public Key Not Found

A missing public key in your signature verification process causes the check to fail immediately. If you’re seeing the error “can’t check signature public key not found,” it means your system cannot locate the cryptographic key needed to confirm that a file, message, or software update is authentic. This is a common issue when working with GPG, SSH, or package managers like APT, and it can block installations or secure communications.

This error usually pops up when you try to verify a signed file but the corresponding public key isn’t in your keyring. Without that key, the signature check can’t proceed, leaving you stuck. The good news is that fixing it is often straightforward once you understand what’s happening.

In this guide, we’ll walk through what causes this error, how to troubleshoot it, and the exact steps to resolve it. You’ll learn how to import missing keys, verify signatures manually, and prevent the issue from recurring.

What Does “Can’t Check Signature Public Key Not Found” Mean?

When you see this message, it means your system attempted to verify a digital signature but couldn’t find the corresponding public key. Digital signatures rely on a pair of keys: a private key (kept secret by the signer) and a public key (shared openly). The public key is used to decrypt the signature and confirm it matches the original data.

If the public key is missing from your local key database, the verification process stops. This is a security measure—without the key, you can’t trust the signature’s validity. The error is common in Linux environments, especially when using apt-get or gpg commands.

Think of it like trying to open a locked box without the right key. The lock (signature) is there, but you don’t have the tool to open it. Until you get the correct public key, the box stays shut.

Common Scenarios Where This Error Occurs

You might encounter this error in several situations:

Adding a new software repository to your Linux system
Verifying a downloaded file with GPG
Checking the integrity of a software package during installation
Using SSH with public key authentication
Working with Git signed commits or tags

Each scenario has a slightly different fix, but the core problem is the same: the public key isn’t in your local keyring.

Let’s dive into the most common fix for this error. When you see “Can’t Check Signature Public Key Not Found,” the first step is to locate and import the missing key. Most package managers and signing tools provide a key ID or fingerprint in the error message. Use that information to fetch the key from a key server.

For example, if you’re using APT on Ubuntu or Debian, the error might look like this:

W: GPG error: http://example.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1234567890ABCDEF

The key ID is 1234567890ABCDEF. You can import it with:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1234567890ABCDEF

After importing, run sudo apt-get update again. The error should be gone. If you’re using a newer version of APT (Ubuntu 20.04+), you might need to use gpg directly instead of apt-key, which is deprecated.

Step-By-Step Guide To Fix The Error

Here’s a detailed process you can follow:

Identify the missing key ID. Look for “NO_PUBKEY” or “public key not found” in the error output. The key ID is usually a 16-character hexadecimal string.
Choose a key server. Common servers include keyserver.ubuntu.com, keys.openpgp.org, or pgp.mit.edu. Use one you trust.
Import the key. Run the appropriate command for your tool. For GPG: gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID. For APT: use the apt-key command or the newer gpg --dearmor method.
Verify the key. Check that the key was added correctly: gpg --list-keys KEY_ID or apt-key list.
Retry the operation. Run your original command again. The signature check should now pass.

If the key server is unreachable, try a different server. Some networks block certain servers, so having a backup is useful.

Using GPG To Manually Verify Signatures

Sometimes you need to verify a file manually, like a downloaded ISO or a software archive. Here’s how to do it when the key is missing:

Download both the file and its signature file (usually .sig or .asc)
Import the signer’s public key from a key server
Run gpg --verify file.sig file
If successful, you’ll see “Good signature”

If the key isn’t on a server, you might need to get it directly from the software provider’s website. Many projects publish their public keys on their official site or in a documentation page.

Why Does This Error Happen In Package Managers?

Package managers like APT, YUM, and DNF use digital signatures to ensure packages haven’t been tampered with. When you add a third-party repository, you need to import its GPG key. If you skip this step, you’ll get the “public key not found” error.

This is a security feature, not a bug. It prevents you from installing unsigned or malicious software. The error forces you to explicitly trust the repository by adding its key.

For example, adding the Docker repository requires importing their GPG key first. If you forget, apt-get update will fail with the missing key error. The fix is to follow the repository’s instructions for key import.

How To Add A Repository Key Correctly

Here’s a typical workflow for adding a repository and its key:

Download the GPG key: wget -O- https://example.com/key.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/example-archive-keyring.gpg
Add the repository: echo "deb [signed-by=/usr/share/keyrings/example-archive-keyring.gpg] https://example.com/apt stable main" | sudo tee /etc/apt/sources.list.d/example.list
Update: sudo apt-get update

This method is more secure than using apt-key add because it pins the key to a specific repository. It also prevents the error from reappearing.

Troubleshooting When The Key Import Fails

Sometimes importing the key doesn’t work. Here are common issues and their solutions:

Network issues: The key server might be down. Try a different server or use a proxy.
Wrong key ID: Double-check the key ID. A typo will cause the import to fail silently.
Expired keys: Some keys have expiration dates. If the key is expired, you’ll need to get an updated one from the provider.
Key not found on server: The key might not be published on public servers. Contact the software vendor or check their website.

If you’re behind a corporate firewall, you might need to configure your system to use a proxy for key server access. Set the http_proxy environment variable or configure your package manager’s proxy settings.

Checking Key Expiration And Revocation

Even after importing a key, it might not work if it’s expired or revoked. Check the key’s status with:

gpg --list-keys --keyid-format LONG KEY_ID

Look for the “expires” field. If it’s past that date, the key is no longer valid. You’ll need to get a new key from the signer. Revoked keys show a “revoked” flag and should not be trusted.

Some projects rotate their keys periodically. Always check the official documentation for the latest key.

Preventing The Error In The Future

Once you’ve fixed the immediate issue, take steps to avoid it happening again:

Always import repository keys before adding their sources
Keep your keyring updated by regularly running apt-key update or equivalent
Use signed-by syntax in your sources.list files to pin keys to specific repos
Back up your GPG keyring so you can restore it if needed
Monitor key expiration dates and renew them before they expire

If you manage multiple systems, consider using a configuration management tool like Ansible or Puppet to automate key imports. This ensures consistency across your infrastructure.

Using Automation To Manage Keys

For sysadmins, manual key imports don’t scale. Use scripts to handle key management:

Create a script that downloads and imports keys from a trusted source
Store keys in a central location, like a Git repository
Run the script on each new system during provisioning
Set up a cron job to check for key updates periodically

This approach reduces human error and ensures all systems have the correct keys. It also makes auditing easier because you can track key changes in version control.

Understanding Digital Signatures And Public Key Cryptography

To fully grasp why this error occurs, it helps to understand the basics of digital signatures. A digital signature is created using a private key and verified using a public key. The signer uses their private key to encrypt a hash of the data. Anyone with the public key can decrypt the hash and compare it to a freshly computed hash of the data.

If the hashes match, the signature is valid. If the public key is missing, the verification can’t happen. This is why the system throws the “public key not found” error.

Public key cryptography is the foundation of secure communication on the internet. It’s used in HTTPS, email encryption, software signing, and more. Understanding it helps you troubleshoot related errors more effectively.

Key Types And Formats

Public keys come in different formats. The most common are:

OpenPGP keys: Used for email encryption and software signing. They have a long fingerprint and a shorter key ID.
SSH keys: Used for secure shell access. They come in RSA, ECDSA, and Ed25519 variants.
X.509 certificates: Used in HTTPS and code signing. They include a public key and identity information.

Each type has its own tools and commands. The error “can’t check signature public key not found” is most common with OpenPGP keys, but it can appear with others too.

Advanced Troubleshooting Techniques

If the basic fixes don’t work, try these advanced methods:

Check the keyring location: GPG keys are stored in ~/.gnupg/ for users and /etc/apt/trusted.gpg.d/ for system-wide keys. Verify the key is in the right place.
Use verbose output: Run your command with -v or --verbose to see more details about where the verification fails.
Test with a different tool: If gpg fails, try gpg2 or gpgv. Sometimes version mismatches cause issues.
Check file permissions: Ensure your keyring files are readable by the user running the command. Incorrect permissions can block access.

If you’re still stuck, search for the exact error message along with your operating system version. Others have likely encountered the same issue and posted solutions.

Debugging With Strace Or Lsof

For the truly stubborn cases, use system tracing tools to see what files the process is trying to access:

strace -e openat gpg --verify file.sig 2>&1 | grep -i key

This shows which key files GPG is attempting to open. If it’s looking in the wrong directory, you can symlink or copy the key to the expected location.

Similarly, lsof can show open file handles during the verification process. This is advanced but can reveal permission issues or missing files.

Common Mistakes And How To Avoid Them

Even experienced users make mistakes. Here are the most common ones:

Using the wrong key ID: The error shows a short key ID, but you might need the full fingerprint. Use --keyid-format LONG to get the correct one.
Importing to the wrong keyring: Root and user keyrings are separate. If you’re running a command as root, import the key with sudo.
Forgetting to update after import: After adding a key, you must run apt-get update again for APT to recognize it.
Using deprecated commands: apt-key is deprecated in newer Ubuntu versions. Use the signed-by method instead.

Double-check each step before moving on. A small oversight can waste hours of troubleshooting.

When To Rebuild The Keyring

If your keyring becomes corrupted or you’ve imported too many keys, consider rebuilding it:

Back up your current keyring: cp -r ~/.gnupg ~/.gnupg.backup
Delete the keyring: rm -rf ~/.gnupg
Recreate it: gpg --list-keys (this creates a fresh keyring)
Re-import only the keys you need

This is a drastic step, but it can resolve mysterious issues. Only do this if you’re sure you can restore your keys from backup or key servers.

Frequently Asked Questions

Why Do I Get “Can’t Check Signature Public Key Not Found” When Installing Software?

This happens when you add a third-party repository but haven’t imported its GPG key. The package manager can’t verify the repository’s signatures without the key. Import the key using the repository’s instructions, and the error will go away.

How Do I Find The Correct Public Key For A Missing Signature?

The error message usually includes a key ID (like “NO_PUBKEY 1234567890ABCDEF”). Search for this ID on a key server or the software provider’s website. You can also look up the project’s documentation for key fingerprints.

Can I Skip Signature Verification If I Can’t Find The Key?

Technically yes, but it’s not recommended. Skipping verification bypasses security checks and could expose you to malicious software. Only do this if you trust the source completely and understand the risks. For APT, you can use --allow-unauthenticated, but this is a bad practice.

What If The Key Server Is Down Or Unreachable?

Try a different key server. Common alternatives include keyserver.ubuntu.com, keys.openpgp.org, and pgp.mit.edu. If all servers are down, download the key directly from the software provider’s website and import it manually with gpg --import keyfile.asc.

Does This Error Affect All Linux Distributions?

No, it’s most common on Debian-based systems (Ubuntu, Debian, Mint) that use APT. Other distributions like Fedora or Arch use different package managers and key management systems, but they can still show similar errors if a key is missing.

Final Thoughts

Seeing “can’t check signature public key not found” can be frustrating, but it’s a solvable problem. The key is to identify the missing key ID, import it from a trusted source, and then retry your operation. With the steps in this guide, you should be able to resolve the issue quickly.

Remember that this error is a security feature, not a bug. It protects you from unsigned or tampered software. Always import keys from official sources