" MicromOne: How to Fix GPG Key Error in Kali Linux

Pagine

How to Fix GPG Key Error in Kali Linux

When you run sudo apt update on Kali Linux (or any APT-based system), you may sometimes see a GPG key error such as:

NO_PUBKEY ED65462EC8D5E4C5

This error means that APT is unable to verify a repository because it lacks the proper public GPG key. In this article, I'll explain why these errors occur, and walk you through two methods (legacy and modern) to fix them. I’ll also include a bash script to automate the process and tips to avoid future issues.

Why GPG Key Errors Happen

APT uses GPG (GNU Privacy Guard) keys to ensure that packages and metadata come from authentic, untampered sources. When you run apt update, APT fetches the InRelease or Release file (signed by the repository) and verifies it using the corresponding public key. If APT doesn’t have that key, the verification fails, and you’ll get an error.

Common causes include:

  • Missing repository key: You added a new repository but didn’t import its public key.

  • Key expiration or rotation: GPG keys expire or are replaced over time.

  • Key revocation or replacement: The maintainers may revoke or change keys (e.g. if a private key is lost or compromised).

In Kali’s case, in 2025, the project lost access to its old signing key and introduced a new one. Systems that hadn’t imported the new key began showing GPG errors. 

Method 1: Legacy Fix Using apt-key (Deprecated)

⚠️ Note: apt-key is now deprecated and may be removed in the future. It adds keys to a global trust store, which is less secure. But it may still work on some systems for now.

  1. Identify the missing key’s ID from the error statement (e.g. ED65462EC8D5E4C5).

  2. Use one of these commands:

    • Fetch from a keyserver:

      sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ED65462EC8D5E4C5

    • Download and install the key directly:

      wget -q -O - https://archive.kali.org/archive-key.asc | sudo apt-key add -

  3. Verify that the key has been added:

    sudo apt-key list

  4. Re-run:

    sudo apt update

If everything succeeds, the GPG error should be gone. 

Method II: Modern Approach (Recommended)

This method avoids apt-key. Instead, you import the key more securely (e.g. into /usr/share/keyrings/ or /etc/apt/trusted.gpg.d/), and optionally tie it to a specific repository using signed-by.

Method 2A: Install the Official Keyring File

  1. Download the new keyring and place it in /usr/share/keyrings/:

    sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg

  2. (Optional) Verify the key’s content:

    gpg --no-default-keyring --keyring /usr/share/keyrings/kali-archive-keyring.gpg -k

  3. Run:

    sudo apt update

APT should now trust the Kali repository, because it finds the new key in the keyring location. 

Method IIB: Use GPG and Keyservers Manually

  1. Ensure gnupg is installed.

  2. Fetch the key:

    gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys ED65462EC8D5E4C5

  3. Export and install it for APT:

    gpg --export --armor ED65462EC8D5E4C5 | sudo tee /etc/apt/trusted.gpg.d/kali-2025.asc > /dev/null

  4. Update APT:

    sudo apt update

You can also verify the fingerprint before or after importing to ensure integrity. 

Automating the Fix with a Bash Script

Here’s a convenient bash script that:

  • Downloads the new Kali keyring

  • Verifies its fingerprint

  • Installs it in the proper location

  • Runs apt update

#!/usr/bin/env bash
# fix-kali-key.sh – Script to resolve missing GPG signing key issues

set -e
KEYFILE="/usr/share/keyrings/kali-archive-keyring.gpg"
KEYURL="https://archive.kali.org/archive-keyring.gpg"
NEEDED_FPR="ED65462EC8D5E4C5"  # Last 16 characters of expected fingerprint

if [[ $EUID -ne 0 ]]; then
  echo "[-] This script must be run as root (use sudo)." >&2
  exit 1
fi

echo "[*] Downloading Kali keyring from $KEYURL ..."
TEMP=$(mktemp)
curl -fsSL "$KEYURL" -o "$TEMP"
if [[ $? -ne 0 ]]; then
  echo "[!] Failed to download key file. Aborting." >&2
  exit 1
fi

echo "[*] Inspecting downloaded key ..."
gpg --no-default-keyring --keyring "$TEMP" -k || {
  echo "[!] GPG failed to read the key. Aborting." >&2
  exit 1
}

FPR=$(gpg --no-default-keyring --keyring "$TEMP" --with-colons -k 2>/dev/null \
      | grep '^fpr' | head -n1 | cut -d: -f10)
if [[ -n "$NEEDED_FPR" && "$FPR" != *"$NEEDED_FPR" ]]; then
  echo "[!] Warning: The key fingerprint ($FPR) does not match expected ID $NEEDED_FPR." >&2
  exit 1
fi

echo "[*] Installing key to $KEYFILE ..."
install -o root -g root -m 0644 "$TEMP" "$KEYFILE"
rm -f "$TEMP"

echo "[+] Key installed. Updating package index..."
apt update

echo "[+] Done. If there were no errors, the GPG key issue is resolved."

Save this script (e.g. fix-kali-key.sh), make it executable (chmod +x fix-kali-key.sh) and run it with sudo ./fix-kali-key.sh

Tips to Prevent Future GPG Key Issues

  • Keep the kali-archive-keyring package up to date — new keys often come via updates.

  • Watch for expiration warnings — GPG keys eventually expire.

  • Clean up old or unused keys (when safe) to reduce clutter and risk.

  • For third-party repositories, store their keys in separate keyrings (e.g. /etc/apt/keyrings/) and use the signed-by= option in your sources list to limit the trust scope.