How to Fix NO_PUBKEY Error on Arch Linux

Encountering the NO_PUBKEY error on Arch Linux? This error indicates that a repository's public key is missing from your keyring. Follow this guide to resolve the issue and keep your system running smoothly.

Understanding the NO_PUBKEY Error

The NO_PUBKEY error means that a repository's GPG key isn't present in your keyring, preventing the verification of packages from that repository. This verification is crucial to ensure the authenticity and integrity of the packages.

Example Error Message

error: nginx: signature from "Example <example@example.com>" is unknown trust :: File /var/cache/pacman/pkg/nginx-1.20.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n]

Step-by-Step Guide to Fix NO_PUBKEY Error on Arch Linux

1. Identify the Missing Key

First, identify the key ID from the error message. It should look something like this: 0123456789ABCDEF.

2. Fetch the Missing Key

Use the following command to fetch the missing key from a key server. Arch Linux uses pacman-key for key management.

sudo pacman-key --recv-keys 0123456789ABCDEF

3. Sign the Key Locally

After fetching the key, you need to locally sign it to trust the key.

sudo pacman-key --lsign-key 0123456789ABCDEF

4. Update Your System

Finally, update your system to apply the changes.

sudo pacman -Syu

Handling Specific Keyring Files

Some repositories specify their GPG keys directly in their configuration files. Here’s how to handle these cases.

Example: Adding the Arch Linux Keyring

  1. Identify the Key ID

    Find the key ID in the error message. For example, 9DC858229FC7DD38854AE2D88D81803C0EBFCD88.

  2. Fetch the Missing Key

    sudo pacman-key --recv-keys 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

  3. Sign the Key Locally

    sudo pacman-key --lsign-key 9DC858229FC7DD38854AE2D88D81803C0EBFCD88

  4. Update Your System

    sudo pacman -Syu

General Steps for Any Repository with Pinned Keys

For repositories that specify their keys, follow these steps:

  1. Identify the Key ID

    Find the key ID in the error message or repository documentation.

  2. Fetch the Missing Key

    sudo pacman-key --recv-keys <KEY_ID>

  3. Sign the Key Locally

    sudo pacman-key --lsign-key <KEY_ID>

  4. Update Your System

    sudo pacman -Syu

Complete Example: Adding a Custom Repository Key

Suppose you have a custom repository configured like this:

[custom-repo]
Server = https://example.com/arch/$repo/$arch
SigLevel = PackageRequired

  1. Identify the Key ID

    Assume the key ID is 1234567890ABCDEF.

  2. Fetch the Missing Key

    sudo pacman-key --recv-keys 1234567890ABCDEF

  3. Sign the Key Locally

    sudo pacman-key --lsign-key 1234567890ABCDEF

  4. Update Your System

    sudo pacman -Syu

By following these steps, you can resolve the NO_PUBKEY error on your Arch Linux system, ensuring your repositories remain functional and secure.

Conclusion

The NO_PUBKEY error can be frustrating, but it's a critical part of maintaining the security and integrity of your package management on Arch Linux. Regularly updating your GPG keys and following the latest methods will keep your system safe and up-to-date. If you encounter this issue, refer back to this guide for a straightforward solution.