11

When running sudo apt update, I am presented with the following error:

Err:4 https://apt.releases.hashicorp.com focal InRelease                                                                               
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA16FCBCA621E701

How can I fix this?

MacroMan
  • 2,335
  • 1
  • 27
  • 36
  • 1
    SO is a programming Q&A platform and this question is not about programming. Vagrant specifically is off topic. Questions about operating systems, their utilities, networking and hardware, are off topic here. [What topics can I ask about here?](https://stackoverflow.com/help/on-topic). Please delete this and ask, instead, on https://superuser.com/ – Rob Feb 07 '23 at 14:33
  • The official unstructions to update the public gpg key (incl. "verifying" the fingerprint) can be found here: https://www.hashicorp.com/official-packaging-guide – R Yoda Feb 13 '23 at 11:09

3 Answers3

11

Remove the exiting Hashicorp files under /etc/apt/sources.list.d/ and then follow the official guide:

sudo -s
wget -O- https://apt.releases.hashicorp.com/gpg |
    gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" > /etc/apt/sources.list.d/hashicorp.list
apt update
rubo77
  • 19,527
  • 31
  • 134
  • 226
jpsecher
  • 4,461
  • 2
  • 33
  • 42
0

The GPG key is outdated or missing.

Run this code to remove the outdated key sudo rm /usr/share/keyrings/hashicorp-archive-keyring.gpg

And this to obtain the current key: curl https://apt.releases.hashicorp.com/gpg | gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg

I had the run that last one under root (sudo -s), as I couldn't get sudo to play ball with the pipe character. Not really sure why

MacroMan
  • 2,335
  • 1
  • 27
  • 36
  • `curl https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg` takes care of the piping, but does not fix the overall problem – jpsecher Feb 07 '23 at 08:59
0

So the problem is with the sources.list file being used. Ultimately it links to a keyring, which doesn't contain key AA16FCBCA621E701.

In my case this was the file /etc/apt/sources.list.d/hashicorp.list

deb [arch=amd64 signed-by=/usr/share/keyrings/terraform-archive-keyring.gpg] https://apt.releases.hashicorp.com jammy main

The above notes (thank you MacroMan), led me to this (which creates a new, valid hashicorp-archive-keyring.gpg, his original instructions don't work unless you're running as su - root, which I never do)

curl https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg

With the new keyring, edit the above file to replace terraform-archive-keyring.gpg with hashicorp-archive-keyring.gpg and sudo apt-get update should run without errors.

Alternatively (I didn't run this, but someone might find it useful, as it recreates the sources.list using sudo tee, so doesnt need to be run as root, as > does)

echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee  etc/apt/sources.list.d/hashicorp.list
sibaz
  • 1,242
  • 14
  • 26