1

We are using the Sonatype Nexus Repository Manager to host apt repositories. The GPG key of one of them has expired recently and needed to be updated. What I thought would be sufficient was to generate new key pairs (as described in the official site docs), paste the new private key through the Nexus UI and new passphrase then apt-key add new public key on client system and all would be good to go. What happens instead is that apt update still says NO_PUBKEY <old_id>. I have no idea whatsoever where does the apt takes the information from now, that it misses the old key and does not "synchronize" the new key. I have also tried to delete contents of /var/lib/apt/lists/ directory before calling the apt update. What am I missing?

EDIT: All is run in clean docker, where only new key is added apt-key add public.gpg.key and new repository to /etc/apt/sources.list, echo "deb <repo_url> bionic main" >> /etc/apt/sources.list

Croolman
  • 121
  • 5
  • show us the apt conf, the source conf where you put the repository, mostly or lets say sometimes the kry has been fixed there – djdomi Jan 05 '22 at 08:54
  • @djdomi I see what you mean. In the `sources.list` nothing is specified for the repository in `[]`. – Croolman Jan 05 '22 at 08:57

1 Answers1

1

I have managed to solve the issue. The nexus apt repository creates two folders. One is called metadata and one is called packages. In metadata folder the files Release, InRelease and Release.gpg are created. These are not automatically regenerated when the key is changed in the UI. To force the regeneration of these files, the folder has to be deleted and a package has to be uploaded. This will trigger the regeneration of the metadata folder with all the appropriate files in it. After this operation, the keys are working.

Croolman
  • 121
  • 5