Signatures couldn't be verified - public key - Ubuntu 20.04 Focal

[Magicrafter13]

I did see other mentions of this issue, but they seemed to be related to users running an unsupported distro. However, Ubuntu Focal is listed as supported.

curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -

## Installing the NodeSource Node.js 14.x repo...


## Populating apt-get cache...

+ apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
- - -
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
- - -
Hit:6 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:7 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done

## Confirming "focal" is supported...

+ curl -sLf -o /dev/null 'https://deb.nodesource.com/node_14.x/dists/focal/Release'

## Adding the NodeSource signing key to your keyring...

+ curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | tee /usr/share/keyrings/nodesource.gpg >/dev/null
gpg: WARNING: unsafe ownership on homedir '/home/matthew/.local/share/gnupg'

## Creating apt sources list file for the NodeSource Node.js 14.x repo...

+ echo 'deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_14.x focal main' > /etc/apt/sources.list.d/nodesource.list
+ echo 'deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_14.x focal main' >> /etc/apt/sources.list.d/nodesource.list

## Running `apt-get update` for you...

+ apt-get update
Get:1 https://deb.nodesource.com/node_14.x focal InRelease [4,583 B]
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease                                                                                   
- - -
Err:1 https://deb.nodesource.com/node_14.x focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280
- - -
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease   
- - -
Hit:7 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:8 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done
W: GPG error: https://deb.nodesource.com/node_14.x focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280
E: The repository 'https://deb.nodesource.com/node_14.x focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Error executing command, exiting

Wish Canonical would provide something newer than version 10.x.x...
I had a version that was at least as high as 12 yesterday, and after reinstalling everything I'm not sure how I managed that in the past, I don't recall using nodesource previously, but npm and n were unable to update me to version 14, hoping I have better luck here.

[KoenCa]

I also get this error since today:

W: GPG error: https://deb.nodesource.com jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280

Last week it worked fine while building a docker image. I think it is related to this commit from 3 days ago: 1e1ee93

I get this while running the setup for Node 12.x in my dockerfile like this:

RUN curl -fsSL https://deb.nodesource.com/setup_12.x | bash - \
    && apt-get install --yes nodejs

OS is Debian Jessie.

[KoenCa]

I "fixed" it by running the following command before the setup:

curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

I got this from the manual installation guide.

So in my dockerfile I have it like this now:

RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
RUN curl -fsSL https://deb.nodesource.com/setup_12.x | bash - \
    && apt-get install --yes nodejs

[igsu]

As @KoenCa just mentioned above, in Debian Jessie, which has reached its end-of-life on June 30, 2020, I was able to reproduce this behavior consistently (it was expected also for Ubuntu Trusty Tahr). However, I was not able to consistently reproduce it on Ubuntu Focal Fossa.

Can you give us more information regarding your environment @Magicrafter13?

[bcoughlan]

I encountered this issue due to using a non-default umask (umask 0027) as required by the CIS benchmark standard. This caused /usr/share/keyrings/nodesource.gpg to be written with 640 permissions instead of 644, so only root could read it. So it should be reproducible by running umask 0027 before curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -. After running chmod a+r /usr/share/keyrings/nodesource.gpg apt-get update completed successfully.

[bcoughlan]

^^ Sorry I actually had to sudo su, run umask 0027 and then curl -sL https://deb.nodesource.com/setup_12.x | bash - to reproduce (no sudo -E) so that the child process would inherit the umask value

[1david5]

I got the same error @KoenCa describes while trying to instal LTS version in debian 8. This prevents quiet apt-get install without --force-yes flag because of the warning:

RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && \ sudo apt-get install -y nodejs

W: GPG error: https://deb.nodesource.com jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280

[KoenCa]

I "fixed" it by running the following command before the setup:

curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

I got this from the manual installation guide.

So in my dockerfile I have it like this now:

RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
RUN curl -fsSL https://deb.nodesource.com/setup_12.x | bash - \
    && apt-get install --yes nodejs

I also updated the base image of my dockerfile and now it uses Debian Buster. I removed the line with the fix and it works like normal.

[ShockwaveNN]

Same problem with ubuntu 14.04 (I've know it's EOLed, just as info):

FROM ubuntu:14.04

RUN apt-get -y update && \
    apt-get -y install curl

RUN curl -fsSL https://deb.nodesource.com/setup_14.x | bash - && \
    apt-get -y install nodejs

result:

WARNING: The following packages cannot be authenticated!
  nodejs
E: There are problems and -y was used without --force-yes

And same Dockerfile is fine with 16.04

FROM ubuntu:16.04

RUN apt-get -y update && \
    apt-get -y install curl

RUN curl -fsSL https://deb.nodesource.com/setup_14.x | bash - && \
    apt-get -y install nodejs

[Magicrafter13]

As @KoenCa just mentioned above, in Debian Jessie, which has reached its end-of-life on June 30, 2020, I was able to reproduce this behavior consistently (it was expected also for Ubuntu Trusty Tahr). However, I was not able to consistently reproduce it on Ubuntu Focal Fossa.

Can you give us more information regarding your environment @Magicrafter13?

Any specific information that would help? Despite having the server running for over a year, I can't really think of anything "stand out" about my env.

[Magicrafter13]

I encountered this issue due to using a non-default umask (umask 0027) as required by the CIS benchmark standard. This caused /usr/share/keyrings/nodesource.gpg to be written with 640 permissions instead of 644, so only root could read it. So it should be reproducible by running umask 0027 before curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -. After running chmod a+r /usr/share/keyrings/nodesource.gpg apt-get update completed successfully.

I checked, and the permissions of this file were also 640 for me. I've never touched the umask to my knowledge (I assume that's something I'd have to change in /etc/fstab?), so I'm not sure how it would have been changed (assuming it was changed, which I don't actually know for sure).

Okay, I also figured out how to check my umask, which is 022, so if the file permissions are an issue, there must be a different cause.

[kosala-almeda]

I also had the error with Ubuntu bionic.

Err:5 https://deb.nodesource.com/node_12.x bionic InRelease                   
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280
Reading package lists... Done
W: GPG error: https://deb.nodesource.com/node_12.x bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1655A0AB68576280
E: The repository 'https://deb.nodesource.com/node_12.x bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Error executing command, exiting

Checked the permissions of /usr/share/keyrings/nodesource.gpg and it was 600. Changing it to 644 fixed the issue.

[ShockwaveNN]

@igsu I'm sorry why this closed without any comments? Issue still actual for me on Ubuntu 14.04

[igsu]

@ShockwaveNN We cannot maintain apt-key as it is scheduled for removal:

https://salsa.debian.org/apt-team/apt/-/commit/ee284d5917d09649b68ff1632d44e892f290c52f
https://salsa.debian.org/apt-team/apt/-/commit/ee284d5917d09649b68ff1632d44e892f290c52f#d1b035cd43f3c2f65d2be57ba185053090491a35_47_48

Maintaining deprecated tools so that our scripts work on distributions that are already EOL like Debian Jessie and Ubuntu 14.04 is not a good practice, that is way we are moving with the procedure recommended by Debian:

https://wiki.debian.org/DebianRepository/UseThirdParty

We are sorry that it does not work on those distributions but it is a must.

You can follow the manual instructions that still work on the aforementioned distributions.

[Magicrafter13]

Okay, but what's the issue for me then, @igsu ? I'm on current LTS, certainly not EOL.

[suntong]

Okay, but what's the issue for me then, @igsu ? I'm on current LTS, certainly not EOL.

Same here,

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic

This problem need to be fix, as it is not the apt-key's problem.

The real fix has been provided by @kosala-almeda:

I also had the error with Ubuntu bionic.

. . .

Checked the permissions of /usr/share/keyrings/nodesource.gpg and it was 600. Changing it to 644 fixed the issue.

So please add a line chmod 644 /usr/share/keyrings/nodesource.gpg into the setup script.

Thanks

[xanoni]

Oh man, the permissions ... that fixed it.

[koloboxer]

I had the same issue on Ubuntu-20.04. Tried to install nodejs 12.x Due to strange root settings on my corporate laptop, the permissions for files

/etc/apt/sources.list.d/nodesource.list
/usr/share/keyrings/nodesource.gpg

were wrong (600). Calling

$ sudo chmod 644 /etc/apt/sources.list.d/nodesource.list
$ sudo chmod 644 /usr/share/keyrings/nodesource.gpg

has solved the problem. Feeling pretty angry that somebody's crooked hands can make our lives really difficult.

[xanoni]

the root umask is probably set to 077 or sth like that

[divedeeep]

i have this issue which resulted from following "sudo curl -fsSL https://deb.nodesource.com/setup_16.x | bash -] dpkg: error processing archive /var/cache/apt/archives/nodejs_16.11.1-deb-1nodesource1_amd64.deb (--unpack):
trying to overwrite '/usr/share/doc/nodejs/api/embedding.json.gz', which is also in package nodejs-doc 12.22.5dfsg-211u1
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
/var/cache/apt/archives/nodejs_16.11.1-deb-1nodesource1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
OS kali linux 15 kindly help

[pat-s]

Just faced the same issue on Ubuntu 20.04.

Solved it by doing the following which is mainly based on the comments above:

curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | tee /usr/share/keyrings/nodesource.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x focal main' > /etc/apt/sources.list.d/nodesource.list
echo 'deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x focal main' >> /etc/apt/sources.list.d/nodesource.list
chmod a+r /usr/share/keyrings/nodesource.gpg
apt update
apt install -y nodejs

[Rudxain]

I have the same problem on Linux Mint 21, but when installing Node 19. Tried chmoding the nodesource.list and gpg files, still get the exact same error.

Note: I have Node16 installed, I don't know if its existence may be causing a conflict in the install. I just want to replace the old version by the new one

[vladhadzhiyski]

Here is a working solution in Dockerfile tested on FROM ubuntu:focal-20220531

Hope this saves someone out there 3-5 hours+ trying to figure out why following the official NodeJS docs doesn't seem to work 🤷 Good luck 🍀

######################################################
# STEP 1) Install prerequisites
######################################################
RUN apt-get update && \
    apt-get install -y ca-certificates curl gnupg

######################################################
# STEP 2) Download and add the NodeSource GPG key to the trusted keyring
######################################################
RUN curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | tee /usr/share/keyrings/nodesource.gpg >/dev/null

######################################################
# STEP 3) Add the NodeSource repository
######################################################
ARG NODE_MAJOR=20  # Set the Node.js version
RUN echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x $(. /etc/os-release; echo "$UBUNTU_CODENAME") main" > /etc/apt/sources.list.d/nodesource.list && \
    echo "deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x $(. /etc/os-release; echo "$UBUNTU_CODENAME") main" >> /etc/apt/sources.list.d/nodesource.list

######################################################
# STEP 4) Update apt and install Node.js
######################################################
RUN apt-get update && apt-get install -y nodejs

[tcgumus]

i solved my node_20x problem with tihs

curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | tee /usr/share/keyrings/nodesource.gpg >/dev/null
echo 'deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x jammy main' >> /etc/apt/sources.list.d/nodesource.list
echo 'deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x jammy main' > /etc/apt/sources.list.d/nodesource.list

then, i can now run apt-get update on my ubuntu 22.04