Skip to content

Instantly share code, notes, and snippets.

@skarllot

skarllot/README.md

Created February 19, 2026 16:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save skarllot/ae01d6bcda50effad2f2a1d2e0e33313 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save skarllot/ae01d6bcda50effad2f2a1d2e0e33313 to your computer and use it in GitHub Desktop.
Download ZIP
Fixing APT GPG Key Errors on Ubuntu / Pop!_OS
Raw
README.md

Fixing APT GPG Key Errors on Ubuntu / Pop!_OS

A practical guide to resolve NO_PUBKEY and EXPKEYSIG errors from Microsoft and Spotify repositories, and fix .NET package conflicts on Ubuntu 22.04 / Pop!_OS.

The Problem

After running sudo apt update, you may see errors like:

W: GPG error: https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease:
   The following signatures couldn't be verified because the public key is not available:
   NO_PUBKEY EB3E94ADBE1229CF

W: GPG error: https://repository.spotify.com stable InRelease:
   The following signatures were invalid: EXPKEYSIG C85668DF69375001
   The following signatures couldn't be verified because the public key is not available:
   NO_PUBKEY 5384CE82BA52C83A

E: The repository '...' is not signed.

These happen because GPG keys expire or are rotated by repository maintainers, and because sources.list entries use a signed-by= path that points to a keyring file that is missing or outdated.

Fix 1 — Spotify

Spotify rotated its signing keys. Import the latest one:

curl -sS https://download.spotify.com/debian/pubkey_5384CE82BA52C83A.gpg \
  | sudo gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/spotify-2025.gpg

sudo chmod 644 /etc/apt/trusted.gpg.d/spotify-2025.gpg

If the URL returns a 404, fall back to a keyserver:

sudo gpg --no-default-keyring \
  --keyring /tmp/spotify-new.gpg \
  --keyserver hkp://keyserver.ubuntu.com:80 \
  --recv-keys 5384CE82BA52C83A \
  && sudo cp /tmp/spotify-new.gpg /etc/apt/trusted.gpg.d/spotify-2025.gpg \
  && sudo chmod 644 /etc/apt/trusted.gpg.d/spotify-2025.gpg

Fix 2 — Microsoft Repositories

Step 1 — Identify the signed-by path used by each repository

cat /etc/apt/sources.list.d/*.list | grep microsoft
cat /etc/apt/sources.list.d/*.sources 2>/dev/null | grep -A5 microsoft

You may find different paths, for example:

  • /usr/share/keyrings/microsoft-prod.gpg (used by microsoft-prod.list)
  • /usr/share/keyrings/microsoft.gpg (used by vscode.sources)

Step 2 — Import the key from the keyserver into a temporary keybox

sudo gpg --no-default-keyring \
  --keyring /tmp/ms-new.gpg \
  --keyserver hkp://keyserver.ubuntu.com:80 \
  --recv-keys EB3E94ADBE1229CF

Step 3 — Export to the exact paths required by signed-by

sudo gpg --no-default-keyring \
  --keyring /tmp/ms-new.gpg \
  --export EB3E94ADBE1229CF \
  | sudo tee /usr/share/keyrings/microsoft-prod.gpg > /dev/null

# If vscode.sources points to a different file, copy it there too
sudo cp /usr/share/keyrings/microsoft-prod.gpg /usr/share/keyrings/microsoft.gpg

sudo chmod 644 /usr/share/keyrings/microsoft-prod.gpg /usr/share/keyrings/microsoft.gpg

Key insight: placing the key in /etc/apt/trusted.gpg.d/ will NOT work when the sources.list entry uses signed-by=. The key must be placed at the exact path specified in signed-by.

Step 4 — Clean up any leftover invalid keyring files

The gpg --no-default-keyring --keyring command creates a keybox format file (.kbx), which apt cannot read. If you accidentally copied such a file to trusted.gpg.d, remove it:

sudo rm -f /etc/apt/trusted.gpg.d/microsoft-eb3e.gpg

Fix 3 — .NET Package Conflicts

The conflict

If you have both the Microsoft ubuntu/22.04/prod repository and the ppa:dotnet/backports PPA enabled at the same time, apt upgrade may fail with:

dotnet-host-8.0 : Conflicts: dotnet-host
netstandard-targeting-pack-2.1-8.0 : Conflicts: netstandard-targeting-pack-2.1

This happens because the Microsoft repository ships generic unversioned packages (dotnet-host, netstandard-targeting-pack-2.1) that conflict with the versioned packages installed from Ubuntu / the PPA.

Which repository provides what

Version packages.microsoft.com/ubuntu/22.04/prod ppa:dotnet/backports Ubuntu repos
.NET 6
.NET 8
.NET 9
.NET 10

Solution

Since Ubuntu already ships .NET 6 and 8, and the PPA covers .NET 9 and 10, the Microsoft ubuntu/22.04/prod repository is redundant and conflicting. Disable it without deleting it:

# The .list format does not support "Enabled: no", so rename the extension
sudo mv /etc/apt/sources.list.d/microsoft-prod.list \
        /etc/apt/sources.list.d/microsoft-prod.list.disabled

To re-enable it later:

sudo mv /etc/apt/sources.list.d/microsoft-prod.list.disabled \
        /etc/apt/sources.list.d/microsoft-prod.list

Note: If your sources file uses the newer DEB822 format (.sources extension), you can instead add Enabled: no as a field inside the file — no renaming needed.

Final Verification

sudo apt update 2>&1 | grep -E "Err|GPG|NO_PUBKEY"
sudo apt upgrade

A clean run should show only Hit: and Get: lines with no GPG warnings or errors.

Installing .NET versions via the PPA

# .NET 9
sudo apt install dotnet-sdk-9.0

# .NET 10
sudo apt install dotnet-sdk-10.0

Summary of Key Concepts

  • signed-by= in sources overrides trusted.gpg.d/ — always place the key at the exact path specified.
  • gpg --keyring creates a keybox (.kbx) — not readable by apt. Always export with --export | tee to produce a proper binary keyring.
  • .list format has no Enabled: no — rename the file extension to disable without deleting.
  • .sources (DEB822) format supports Enabled: no — add it as a field inside the file.
  • Conflicting .NET sources — stick to one source per version to avoid unresolvable dependency conflicts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment