Ever bugged by Ubuntu GPG error during updates?

Ubuntu lets you define several software repos in individual files under the /etc/apt/sources.list.d directory. Likewise, one may create a file (e.g varnish-cache.list) with the following content to add the Varnish software repo:

deb https://repo.varnish-cache.org/ubuntu/ trusty varnish-4.1

Upon executing apt-get update Ubuntu will update the software repository lists including that of Varnish. One hiccup that may occur during the update is an error that complains as follows:

W: GPG error: https://repo.varnish-cache.org trusty InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 60E7C096C4DEFFEB

The error says that GPG cannot find the public key “60E7C096C4DEFFEB”.

GPG is used to sign packages found on the software repository lists. A private key is used in the signing process. A public key helps to verify whether the package requested has been signed by the corresponding private key. Hence, the public key of Varnish helps to make sure that the requested package is signed by Varnish itself and not someone else. This establishes authenticity.

Apt-key is a utility that retrieves a public key from a keyserver. We, therefore, request the public key of Varnish software as follows:

apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 60E7C096C4DEFFEB

The command produces the following result:

gpg: requesting key C4DEFFEB from hkp server keyserver.ubuntu.com
gpg: key C4DEFFEB: public key “varnish-cache.org repository key sysadmin@varnish-software.com” imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

The public key is imported and will be used for signature verification during updates.