10

I'm trying to follow the installation instructions for Debian provided on Docker website. Unfortunately adding a GPG key fails for me:

$ curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I've tried to download the key and add it from the local file system, but the effect is the same:

$ apt-key add docker.gpg 
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

The same happens for other keys, e.g. VirtualBox:

$ apt-key add oracle_vbox_2016.asc 
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

The keys looks fine:

$ cat docker.gpg 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
[...]
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYhg
-----END PGP PUBLIC KEY BLOCK-----

$ shasum docker.gpg 
f5b5bd1487cefc0c53c947e11ca202e86b33dbad  docker.gpg

$ gpg --list-packets docker.gpg 
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
    version 4, algo 1, created 1487788586, expires 0
    pkey[0]: [4096 bits]
    pkey[1]: [17 bits]
    keyid: 8D81803C0EBFCD88
# off=528 ctb=b4 tag=13 hlen=2 plen=43
:user ID packet: "Docker Release (CE deb) <docker@docker.com>"
# off=573 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid 8D81803C0EBFCD88
    version 4, created 1487792064, md5len 0, sigclass 0x13
    digest algo 10, begin of digest b2 c9
    hashed subpkt 2 len 4 (sig created 2017-02-22)
    hashed subpkt 27 len 1 (key flags: 2F)
    hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
    hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
    hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (keyserver preferences: 80)
    subpkt 16 len 8 (issuer key ID 8D81803C0EBFCD88)
    data: [4094 bits]
# off=1143 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
    version 4, algo 1, created 1487788586, expires 0
    pkey[0]: [4096 bits]
    pkey[1]: [17 bits]
    keyid: 7EA0A9C3F273FCD8
# off=1671 ctb=89 tag=2 hlen=3 plen=1086
:signature packet: algo 1, keyid 8D81803C0EBFCD88
    version 4, created 1487788586, md5len 0, sigclass 0x18
    digest algo 8, begin of digest f2 b8
    hashed subpkt 2 len 4 (sig created 2017-02-22)
    hashed subpkt 27 len 1 (key flags: 02)
    subpkt 16 len 8 (issuer key ID 8D81803C0EBFCD88)
    subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo 8)
    data: [4095 bits]

Am I doing something wrong? What steps should I take to troubleshoot it further?

I'm on Debian Stretch. I don't have any firewall. I've tried it on several networks.

Tad Lispy
  • 201
  • 1
  • 2
  • 7
  • Do you have a proxy in front of the machine you're executing the command on? What command did you run to import from the local file system, what's the `shasum` of the key? Is `gpg --list-packets ` or `curl ... | gpg --list-packets` also printing an error message? – Jens Erat May 23 '17 at 16:44
  • @JensErat thanks for your attention. I've updated the question with the info you suggested. – Tad Lispy May 24 '17 at 06:56
  • Update: the problem doesn't seem related to Docker. Seems like I can't `apt-key add` any key. – Tad Lispy May 24 '17 at 17:12
  • Just to be sure, you're doing this as root? (Your prompt is `$` which is traditionally "non-root account", as ooposed to `#`, which is "root prompt", but people don't always keep to the traditions.) – Tollef Fog Heen May 27 '17 at 20:21
  • Hello @TollefFogHeen. Yes, I'm doing it as root (with `sudo -i`). I respect your point, but frankly find the `#` for root convention a little bit confusing, because `#` in shell begins a comment. Also in this particular case the output from `gpg` command contains few lines starting with `#` so it would be additionally confusing. – Tad Lispy May 27 '17 at 21:13
  • The key is totally fine as `gpg --list-packets` and also the SHA1 sum propose, and I can import this very key without any issues. I guess there is some issue with `apt`'s key database or GnuPG on your machine. – Jens Erat Jun 02 '17 at 19:38
  • @JensErat you are most likely right. I've downgraded to Ubuntu Gnome 17.04 and my problems are gone. So this question will probably remain a mystery forever :) – Tad Lispy Jun 07 '17 at 08:50

3 Answers3

8

Just removing /etc/apt/trusted.gpg solves the problem. This is not harmful. all debian keys are stored in /etc/apt/trusted.gpg.d.

This trusted.gpg file is created by software-properties-gtk (for storing other repo keys, I guess) and it doesn't fit with apt on Debian Stretch.

Ref: https://readlist.com/lists/lists.debian.org/debian-user/77/388463.html

peacerebel
  • 81
  • 2
  • 4
    `/etc/apt/trusted.gpg: No such file or directory` - [WSL Debian](https://www.microsoft.com/en-ca/p/debian/9msvkqc78pk6) – SIGSTACKFAULT Jul 03 '19 at 14:11
2

My answer is way too late, but since I had the same problem and I finally managed to solve it, here is the solution.

The symptoms: my apt-get was always refusing to update, because the keys could not be checked. Apt-key always refused to add new keys (saying there was no key to add when reading the key from gpg), so I was stuck.

It was in fact the file /etc/apt/trusted.gpg that got corrupted. After making a backup copy of this file, I re-imported into gpg the debian signing keys: 8B48AD6246925553, etc (see https://ftp-master.debian.org/keys.html): gpg --keyserver keyring.debian.org --recv-keys 8B48AD6246925553

Then deleted the file "trusted.gpg" and I used gpg to export the keys into /etc/apt/trusted.gpg: gpg --export 8B48AD646925553 >> trusted.gpg

Do it for each key, and apt-get works again!!

Mathias

mathias
  • 21
  • 2
  • Hey, Matthias! Thanks. I can't test your solution as I've since reinstalled the OS, but +1 anyway. Maybe someone else will benefit from your answer. – Tad Lispy Jun 29 '17 at 06:48
0

I used peacerebels idea (above)

then (to start fresh and backup originals -- just in case) I moved everything from /etc/apt/trusted.gpg.d to a folder I called "disabled" like so:

root@****:/etc/apt/trusted.gpg.d mkdir disabled
root@****:/etc/apt/trusted.gpg.d mv debian-archive* disabled

Then put all the commands in a row. It seems the OpenPGP error and total number processed = 0 and gpg WARNING: nothing exported ->> don't mean anything in this scenario

root@****:/etc/apt# gpg --keyserver keyring.debian.org --recv-keys EF0F382A1A7B6500 | gpg --export EF0F382A1A7B6500  >> trusted.gpg
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

root@****:/etc/apt# gpg --keyserver keyring.debian.org --recv-keys 7638D0442B90D010 | gpg --export 7638D0442B90D010 >> trusted.gpg
gpg: WARNING: nothing exported

gpg: no valid OpenPGP data found.

gpg: Total number processed: 0

root@****:/etc/apt# gpg --keyserver keyring.debian.org --recv-keys 8B48AD6246925553 | gpg --export 8B48AD6246925553 >> trusted.gpg
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

root@****:/etc/apt# gpg --update-trustdb
gpg: no ultimately trusted keys found

(I don't know if gpg --update-trustdb is required, but that's what I did. results may vary)

root@****:/etc/apt# apt-get update
Ign:1 https://mirror.****.****.***/debian stretch InRelease
Hit:2 https://mirror.****.****.***/debian stretch Release

I hope this helps someone. After doing 2 installs over 2 nights it seems this is problem with the keys happens if during the install phase you choose not to use the online repository/update mechanism.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Alex
  • 1
  • 1