VirtualBox repo public key issue? [solved]

[Kurt3162]

When I hit "Refresh" in the Update Manager, or do sudo apt update, I get an error like this:

Code: Select all

Err:2 https://download.virtualbox.org/virtualbox/debian jammy InRelease                              
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A2F683C52980AECF
...
Hit:9 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [114 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99,8 kB]
Reading package lists... Done         
W: GPG error: https://download.virtualbox.org/virtualbox/debian jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A2F683C52980AECF
E: The repository 'https://download.virtualbox.org/virtualbox/debian jammy InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

Now I do have two Oracle keys (fingerprint B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF and 7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139) in my keychain, I can see it in my software sources. The first one seems to be the right one, at least half the fingerprint fits. Why/how does it claim to be "not available?"
I even tried to reinstall it, in case it has changed somehow. No luck, I still get the same error.

What is happening, did I miss a turn somewhere? Or is the VirtualBox repo broken?
Does somebody else experience the same problem?

[dkebler]

likely you've run into the new jammy "feature" (ha) which is keys are now stored differently and ubuntu didn't bother to update apt-key or apt-add-repository.

try moving the key. use the showkeys or filterkeys alias to find the key id
To move then use movekey function to move it to the "new" location

$1 use last 8 of id no spaces
$2 any name for file to be created obvisouly something that makes sense. (e.g. virtualbox)

Code: Select all

movekey() { 
 sudo apt-key export $1 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/$2.gpg 
}

alias showkeys="apt-key list"
alias filterkeys="apt-key list | grep -B1

"

alternatively take a look here

https://www.virtualbox.org/wiki/Linux_Downloads

it seems as if oracle has updated the way to handle repos using gpg instead which is the "new" way instead of apt-key.

you may just want to scrub and add the repo again.

[linux-rox]

Notice also the section in the Oracle instructions which begins with "What to do when experiencing The following signatures were invalid ..."

[Kurt3162]

Notice also the section in the Oracle instructions which begins with "What to do when experiencing The following signatures were invalid ..."

I did, and I did follow those instructions, but it didn't change anything.

[Kurt3162]

try moving the key. use the showkeys or filterkeys alias to find the key id
To move then use movekey function to move it to the "new" location

Thanks, I'll try that when I'm back to my Mint box.

[Kurt3162]

Code: Select all

movekey() { 
 sudo apt-key export $1 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/$2.gpg 
}

alias showkeys="apt-key list"
alias filterkeys="apt-key list | grep -B1"

I don't know what this was supposed to do, but it didn't change much.


Is there a way to tell Mint to not look for those fsking signatures till the day they all get their acts together?

I'm security-conscious and understand very well the point of having signatures for repos, but to be of any usefulness that system must actually work! Right now it's a mess where 2/3 of my external repositories throw some kind of error (Oracle, Google), meaning that I generally have to ignore errors, not knowing if that error is due to malice, blunder, or conflicting opinions on how signatures should be handled. Short version: Useless.

[linux-rox]

Not sure it's different from the Oracle procedure, but did you remove the authentication keys in Software Sources then reimport?

And please stop kvetching. We're only users, just like you. FWIW, I've not run into this problem with any repos, so the process isn't broadly broken.

By the way, you can work around the problem in the short term by installing VBox from deb file. There's no signature check for that. You are the check.

[Kurt3162]

did you remove the authentication keys in Software Sources then reimport?

Yes, at least I think so. (I'm not a Linux whizz, just a Windows defector who has been using Mint as his main OS since v.17.)
I deleted them in Software Sources, reimported them manually (from the downloaded key file), but nothing changed, same error message. I also tried the Software Sources' "Add missing keys" feature (in "Maintenance"), same error.

And please stop kvetching. We're only users, just like you.

I'm totally conscious everybody here is a user like me (just usually way more Linux savvy), and it's nobody's fault.
I'm just venting, because I hoped it's a simple problem with a simple solution, and it turns out to be a simple problem with no solution at all. Frustrating, isn't it?

By the way, you can work around the problem in the short term by installing VBox from deb file.

It's already installed, that's not the problem. What I'd like to get back is the Update Manager alerts.
I know, I can visit virtualbox.org every other morning and check myself, but it's a hassle I can do without...

[linux-rox]

I know, I can visit virtualbox.org every other morning and check myself, but it's a hassle I can do without...

No need. There's an update checker built into VBox: File > Preferences > Updates. Also, VBox is a mature app. Very little of significance changes anymore, especially with point releases. Not like your browser, which it's important to keep cutting-edge current.

[Kurt3162]

Thanks!

[JerryF]

The messages we're getting about key signatures is that the file /etc/apt/trusted.gpg will no longer be used to store key signatures.

The command apt-key is being deprecated. There will be a different way to store keys.

Patience will be needed for the transition.

[Kurt3162]

Patience will be needed for the transition.

I see, thanks.

Now I know this is none of my business, but wouldn't it have been more efficient to set up the new method before deprecating the old one? AFAIK(at least) there was nothing fundamentally wrong with how things worked till recently, was there?

Yes, yes, still complaining, but I'm a stickler for efficiency. Sorry.

[Kurt3162]

Update:

After sifting through these forums (search doesn't help), I found a solution which works for me, I got rid of the error message.
Here are the step-by-step instructions for those interested:

1. Download the Oracle (or any other I guess) key file ("oracle_vbox_2016.asc"), using wget or a browser or whatever.
   Open a terminal and type:
2. gpg --no-default-keyring --keyring ./temp-keyring.gpg --import oracle_vbox_2016.asc
   (Importing converts the file into something apt can use.)
3. gpg --no-default-keyring --keyring ./temp-keyring.gpg --export --output oracle-virtualbox-2016.gpg
   (Export the key to a standalone keyfile having the expected name.)
4. rm temp-keyring.gpg
   (Deletes the temp export file)
5. Now copy that new "oracle-virtualbox-2016.gpg" file into /usr/share/keyrings
6. Done!

[kritonios]

Update:

After sifting through these forums (search doesn't help), I found a solution which works for me, I got rid of the error message.
Here are the step-by-step instructions for those interested:

1. Download the Oracle (or any other I guess) key file ("oracle_vbox_2016.asc"), using wget or a browser or whatever.
   Open a terminal and type:
2. gpg --no-default-keyring --keyring ./temp-keyring.gpg --import oracle_vbox_2016.asc
   (Importing converts the file into something apt can use.)
3. gpg --no-default-keyring --keyring ./temp-keyring.gpg --export --output oracle-virtualbox-2016.gpg
   (Export the key to a standalone keyfile having the expected name.)
4. rm temp-keyring.gpg
   (Deletes the temp export file)
5. Now copy that new "oracle-virtualbox-2016.gpg" file into /usr/share/keyrings
6. Done!

Works great. Many thanks for posting it!