How To Add An APT GPG Key

A common security measure implemented by APT repository maintainers is to sign the packages they distribute. This ensures that the packages you are installing are the authorized and unmodified packages issued by the package maintainers an no one else.

It can be a little confusing how to import the key into APT to install the new package in the first place. Here’s the easy way.

I just had to installed the excellent web log analyzer GoAccesss so I will use it as an example.

The first error was APT telling me that there was no GPG public key on my server for the GoAccess repository:

$ sudo apt update
Get:5 http://deb.goaccess.io buster InRelease [2,336 B]
Err:5 http://deb.goaccess.io buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 97BD1A0133449C3D
Reading package lists... Done
W: GPG error: http://deb.goaccess.io buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 97BD1A0133449C3D
E: The repository 'http://deb.goaccess.io buster InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Your first step here is to find the public key for the repository. A search for “<PACKAGE> public key” should get you the link you need. The GoAccess public key URL is https://deb.goaccess.io/gnugpg.key

Once you have the line use the following command to import the key:

wget -qO- <URL> | sudo apt-key add -

Here with the GoAccess key URL:

wget -qO- https://deb.goaccess.io/gnugpg.key | sudo apt-key add -

And your done!

You can now apt update and apt install the new package.