How to automate installation of missing GPG keys on Linux

Question

I've been working with Linux containers for several years. I am surprised that I wasn't able to find a thread about this question. Scenario:

I've just added a new package index (/etc/sources.list.d/example.list) and want to install a package, let's call it snailmail.

I run the commands:

apt-get update && apt-get install -y snailmail

I get the following error:

W: GPG error: https://example.com/snailmail/debian stable InRelease:
The following signatures couldn't be verified because the public key is not available:
NO_PUBKEY 7EF2A9D5F293ECE4

What is the best way to automate the installation of GPG keys?

Answer 1

Here's a handy script that can be called during the build process to download and install common GPG keys (from the Ubuntu keyserver):

Prerequisites:

• wget

for PUBKEY in $(apt-get update 2>&1 | grep NO_PUBKEY | awk '{print $NF}')
do
 wget -q "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${PUBKEY}" -O - | sed -n '/BEGIN/,/END/p' | apt-key add - 2>/dev/null
done

Answer 2

apt-key now seems to be deprecated, I have created a script that will detect and get the missing keys, you can get it here.

#!/bin/sh -e
tmp="$(mktemp)"
sudo apt-get update 2>&1 | sed -En 's/.*NO_PUBKEY ([[:xdigit:]]+).*/\1/p' | sort -u > "${tmp}"
cat "${tmp}" | xargs sudo gpg --keyserver "hkps://keyserver.ubuntu.com:443" --recv-keys  # to /usr/share/keyrings/*
cat "${tmp}" | xargs -L 1 sh -c 'sudo gpg --yes --output "/etc/apt/trusted.gpg.d/$1.gpg" --export "$1"' sh  # to /etc/apt/trusted.gpg.d/*
rm "${tmp}"