Force update from unsigned repository

Question

I'm using an unsigned repo in Ubuntu 16.04 from Debian multimedia:

deb http://www.deb-multimedia.org jessie main

To install deb-multimedia-keyring, I'm running:

apt-get update && apt-get install deb-multimedia-keyring -y

This gives an error:

W: GPG error: http://www.deb-multimedia.org jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5C808C2B65558117
E: The repository 'http://www.deb-multimedia.org jessie InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Answer 1

You can set options in your sources.list (located at /etc/apt/sources.list):

deb [trusted=yes] http://www.deb-multimedia.org jessie main

The trusted option is what turns off the GPG check. See man 5 sources.list for details.

You can either edit the file within the terminal with vim ( or whatever you prefer) or any non-terminal editor like gedit.

Answer 2

You can bypass some important safeguards by using the following option:

--allow-unauthenticated

From the man pages for apt-get:

--allow-unauthenticated
    Ignore if packages can't be authenticated and don't prompt about
    it. This can be useful while working with local repositories, but
    is a huge security risk if data authenticity isn't ensured in
    another way by the user itself. The usage of the Trusted option for
    sources.list(5) entries should usually be preferred over this
    global override. Configuration Item:
    APT::Get::AllowUnauthenticated.

But be a little cautious about using this option more widely, the safeguards are in place to protect your computer not limit your freedom...

Edit

From newer versions of Ubuntu, instead of --allow-unauthenticated, --allow-insecure-repositories can be used.

In order to perform an update the command would be this

sudo apt-get update --allow-insecure-repositories

Answer 3

Another generic solution would be

sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 5C808C2B65558117

Note: I didn't test the solution with this repository but I did it with Skype repository and it worked just fine.

Another solution specific to your case is to install the keys

wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2012.05.05_all.deb -O deb-multimedia-keyring.deb
sudo dpkg -i multimedia-keyring_all.deb

As described in the full walk through: How To Install The Debian Multimedia Repository On Debian Operating Systems

Answer 4

If you are trying to get a package from a repository where they packaged the keys and include them within the repository and no where else, it can be very annoying to download and install the key/keyring package using dpkg, and very difficult to do so in an easily scriptable and repeatable manner.

The below script is not recommended if you can install the keys from a keyserver (as recommended in another answer using apt-key adv) or if you can download them from a trusted source via https and install using apt-key (eg wget https://trusted.key.site/my-trusted-key.gpg | sudo apt-key add -), but if you don't have ANY other way, you can use this.

echo "deb http://your.repo.domain/repository/ $(lsb_release -c -s) universe" | sudo tee /etc/apt/sources.list.d/your-repo-name.list

sudo apt -o Acquire::AllowInsecureRepositories=true \
-o Acquire::AllowDowngradeToInsecureRepositories=true \
update

## if the 'apt update' above fails it is likely due to previously
## having the GPG key and repository on the system, you can clean
## out the old lists with `sudo rm /var/lib/apt/lists/your.repo.domain*`

apt-get -o APT::Get::AllowUnauthenticated=true install repo-keyring-pkgname

## If you ever run `sudo apt-key del your-repos-keyID`
## you may have to `sudo apt remove --purge repo-keyring-pkgname`
## Update should run without the GPG warnings now that the key is installed

apt-get update
apt-get install somepkg-from-repo

I originally put this together because i3 in their sur5r repo does this, but then I found out their keys are in the keyserver.ubuntu.com list, so I can just sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E3CA1A89941C42E6 and avoid all the extra package hassles.

Answer 5

You can get the PUBLIC_KEY from the keyserver and add it into apt-key. Assuming the keyserver is pgpkeys.mit.edu, you first need to type in:

gpg --keyserver pgpkeys.mit.edu --recv-key KEY_IN_ERROR
gpg -a --export KEY_IN_ERROR | sudo apt-key add -

Replace the key KEY_IN_ERROR with the one in your error message, i.e. 5C808C2B65558117.

Also, if you are really interested in adding an unsigned repository, you can add the a flag in the desired repository entry in the sources.list like this:

deb [allow-insecure=yes] http://www.deb-multimedia.org jessie main

This is really useful if you want to fine tune your security settings for an individual entries.

Answer 6

N: See apt-secure(8) manpage for repository creation and user configuration details.

answer:

1. ls /etc/apt/sources.list.d

next try removing them using

2. sudo rm -i /etc/apt/sources.list.d/{output of 1}

do it for each

eg: sudo rm -i /etc/apt/sources.list.d/wireshark-dev-ubuntu-stable-focal.list

then try

3. sudo apt update

:)

Answer 7

This is somewhat duplicating an existing answer but --allow-insecure-repositories and --allow-unauthenticated only worked in certain combinations. Here for example with the insecure deadsnakes repository:

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update --allow-insecure-repositories
sudo apt-get install python3.9* --allow-unauthenticated

Answer 8

This is kind of late to the table, but I only ran into this yesterday. Upon installing from the .iso for 18.04 LTS, obtained from ubuntu.com, I encountered this issue and also, ifconfig and other network tools were not installed. Wifi did not work.

This was on a Lenovo X140e laptop, the kind that is preloaded with Windows and given to someone who completes a computer course.

I reinstalled a few times without better results, perhaps because the definition of insanity applies. I then put 16.04 LTS on a stick and installed that. I had to fool around with BIOS settings to install. Interestingly, network apps were installed and wifi found connections. I got the same message (repository is unsigned, etc.) at first from Software Updater, but then it told me there was a new release and asked me, did I want it.

I gave it a try and now everything works in 18.04. Make of that what you will. I would like to add that none of the other answers on this page worked. That is why I contribute this "solution."