Synaptic error when updating

Hello All. I’m getting the following error when I try to update Linux Mint:

GPG error: https://apt.syncthing.net sync thing InRelease: The following signatures were invalid NODATA 3 NODATA1 The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D26E6ED000654A3E

I’ve checked the additional repositories in Software Updater, and they’re correctly named.

I’ve checked the guides on the https://apt.syncthing.net/ web-page, and carried out all of the suggestions there.

I’ve manually downloaded the keyring and renamed it and moved it, as root, to what I believe to be the correct place.

All to no avail.

Syncthing is running fine, at the moment, and I’d rather not be contemplating starting all over. It took me forever to get all the peers set up.

Hopefully I’ve missed/done something obvious, but I’m darned if I can see what.

Robin.

Could you post your apt source and the content of your keyring file?

Also check for any duplicate entries.

Hi bt90! Thanks for getting back to my Hellllpp!

I have 2 additional repositories enabled under Software Sources:

deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable

and

similar to the above but pointing to / syncthing candidate

Sorry I’ve had to write it like that, but new members can only include 2 links!

I have a Syncthing keyring in two places:

• One is in usr\share\keyrings and
• Another is in etc\apt\keyrings

Maybe this is what you mean by ‘checking for duplicate entries’?

Looks like one of the suggested cures has led me to place a keyring copy in a second location.

I’ve attached the keyring file.

The file properties for each look the same, so I don’t believe I have two conflicting files.

Thanks in advance. Robin. syncthing-archive-keyring.gpg (2.5 KB)

Why?

It was what was suggested on the Syncthing webpage:

Please see attached image.

Thanks, Robin.

Capture928×105 7.02 KB

Yeah, we should probably reword and/or move it to a visually more separated section.

You either want stable or candidate.

Hi bt90,

I’ve tried un-checking each of the repositories in turn, but it still gives the error message.

It only started occuring a couple of days back. Everything’s been fine up until then; it’s worked faultlessly and is/has been a great peace of mind.

Anything else I might look at?

Robin.

Yeah I don’t think that’s related. The releases are currently signed by two keys, the old one and a new one. AFAIK it should be fine if you just have either, that’s how my apt seems to be behave at least.

Hi Jakob,

I have removed the ‘candidate’ entry, which puts things back as they were originally.

I’m afraid I struggle somewhat with Linux! Don’t tell anyone, but I - before I retired some years back - worked with Shhhh … Windows!

I’ll upload the full error message in case there’s something of use in the preamble at the top of it.

Thanks, Robin.

Capture885×761 210 KB

A shot in the dark, but check if it’s disk space related.

Disk space appears fine:

I believe the ‘snap’ entries are OK as the disk sizes itself to the size of the application.

Debugging output via gpg --list-packets syncthing-archive-keyring.gpg says the attached key file has the key ID E5665F9BD5970C47:

# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
        version 4, algo 1, created 1732431746, expires 0
        pkey[0]: [4096 bits]
        pkey[1]: [17 bits]
        keyid: E5665F9BD5970C47

However, the key ID error from Synaptic is referring to the old key even though your system has the newer key:

Since you’ve made several changes while troubleshooting, verify how many Syncthing public keys you’ve actually got (and where they are). Search the entire system using the following shell/terminal command:

find / -iname "syncthing*.gpg" -ls

Hi gadget!

Thank you for your assistance.

The output from ‘find’ was quite lengthy, but most results finished with “permission denied”.

The ‘keyring’ related ones are as follows:

34342474 4 -rw-rw-r-- 1 robin robin 2585 Dec 1 20:03 /etc/apt/keyrings/syncthing-archive-keyring.gpg

20316179 4 -rw-r–r-- 1 root root 2585 Nov 30 16:43 /usr/share/keyrings/syncthing-archive-keyring.gpg

34342260 4 -rw-rw-r-- 1 robin robin 2585 Nov 30 17:33 /home/robin/Desktop/Win7PCBackup/syncthing-archive-keyring.gpg

Here is result from running `gpg --list-packets syncthing-archive-keyring.gpg on keyring in /etc/apt/keyrings …

:public key packet:

version 4, algo 1, created 1732431746, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: E5665F9BD5970C47

:user ID packet: “Syncthing Release Management release@syncthing.net”

:signature packet: algo 1, keyid E5665F9BD5970C47

version 4, created 1732431746, md5len 0, sigclass 0x13
digest algo 8, begin of digest 35 a9
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 34 len 1 (?)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 07)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID E5665F9BD5970C47)
data: [4092 bits]

:signature packet: algo 1, keyid D26E6ED000654A3E

version 4, created 1732463752, md5len 0, sigclass 0x10
digest algo 8, begin of digest da 15
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
subpkt 16 len 8 (issuer key ID D26E6ED000654A3E)
data: [2046 bits]

:public sub key packet:

version 4, algo 1, created 1732431746, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: B424C6EE7E8D2CD8

:signature packet: algo 1, keyid E5665F9BD5970C47

version 4, created 1732431746, md5len 0, sigclass 0x18
digest algo 8, begin of digest 0a 24
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID E5665F9BD5970C47)
data: [4095 bits]

and here, from /usr/share/keyrings …

:public key packet:

version 4, algo 1, created 1732431746, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: E5665F9BD5970C47

:user ID packet: “Syncthing Release Management release@syncthing.net”

:signature packet: algo 1, keyid E5665F9BD5970C47

version 4, created 1732431746, md5len 0, sigclass 0x13
digest algo 8, begin of digest 35 a9
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 34 len 1 (?)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 07)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID E5665F9BD5970C47)
data: [4092 bits]

:signature packet: algo 1, keyid D26E6ED000654A3E

version 4, created 1732463752, md5len 0, sigclass 0x10
digest algo 8, begin of digest da 15
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
subpkt 16 len 8 (issuer key ID D26E6ED000654A3E)
data: [2046 bits]

:public sub key packet:

version 4, algo 1, created 1732431746, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: B424C6EE7E8D2CD8

:signature packet: algo 1, keyid E5665F9BD5970C47

version 4, created 1732431746, md5len 0, sigclass 0x18
digest algo 8, begin of digest 0a 24
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2024-11-24)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID E5665F9BD5970C47)
data: [4095 bits]

The keyring on the desktop was put there so that I could transfer it from my Linux server to another, Windows PC, to upload it to the forum.

Thanks, Robin.

You’re welcome.

Yup, that’s normal and expected since the search was most likely done as a regular user.

Even as root – and via sudo – there will still be some permissions errors (e.g. under FUSE, only the owner of a mount can access it, keeping encrypted volumes private from all other users).

Looks good. Based on what you posted earlier, your source config points to /etc/apt/keyrings/syncthing-archive-keyring.gpg, so the other to locations are ignored, but it’s best to confirm that it really is the case.

Since you followed the instructions on apt.syncthing.net, let’s see what the contents of your APT source for Syncthing’s repo are:

cat /etc/apt/sources.list.d/syncthing.list

Although not the cause of your Synaptic error, for better overall security it’s a good idea to update the ownership on `/etc/apt/keyrings/syncthing-archive-keyring.gpg’:

chown root:root /etc/apt/keyrings/syncthing-archive-keyring.gpg

(Non-root users shouldn’t be able to modify files in the /etc/apt/keyrings directory.)

The result above looks good.

What’s the output from the following command?

apt-cache show syncthing

Hi gadget,

Thanks for the continuing debugging!

Here’s the APT source location:

deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable

I changed ownership of the keyring:

Capture528×524 60.8 KB

and here’s the ‘apt-cache’ result:

Package: syncthing
Status: install ok installed
Priority: optional
Section: default
Installed-Size: 27128
Maintainer: Syncthing Release Management <release@syncthing.net>
Architecture: amd64
Version: 1.28.1~rc.2
Depends: libc6, procps
Conffiles:
 /etc/ufw/applications.d/syncthing 7bc483737df07a71aa8d483ae79dc3d7
Description: Open Source Continuous File Synchronization
Description-md5: eb358e1fcb30da4dd3e74b3e08230539
License: MPL-2
Vendor: Syncthing Release Management <release@syncthing.net>
Homepage: https://syncthing.net/

Take care, Robin.

Thanks for everyone’s assistance, but the issue remains unresolved.

Is there anyone who might be able to help any further with this matter, please?

Thank you.

It’s interesting that the Syncthing packages from Ubuntu aren’t included in the results.

A few days ago I downloaded and installed Linux Mint 22 and have had no success trying to reproduce the GPG key problem you’ve been seeing.

Since the DEB package from apt.syncthing.net are dual-signed by both the old and new keys, it doesn’t make any sense that your Linux Mint system is trying to verify using the older key (especially when the newer key is available on your system.

The only thing that comes to mind is that your system is somehow looking at a Syncthing package that was signed with only the older key.

Did you ever run apt update after making changes to the config files? Somewhere previously you said you removed the entry for the candidate channel, yet the apt-cache info lists a candidate version. What I can’t find in previous answers is the output of

apt-cache policy syncthing

That should list all known versions. Please also post the messages from

apt update

One suggestion is to uninstall Syncthing, purge APT’s cache, then reinstall:

apt-get purge syncthing
apt-get clean
apt-get update
apt-get install syncthing

If the problem is being caused by a corrupted cached Syncthing package, it’ll force a re-download from apt.syncthing.net.

A short-term workaround would be to add Syncthing’s older signing key, but it’s not fix.

Hello All!,

Thank you for all of your help!

It’s odd that the ‘boot is on the other foot’ now, as I used to do this sort of thing - in the Windows™ community - until I retired.

In response to your request André, here is the output from:

apt-cache policy syncthing

syncthing:
  Installed: 1.28.1~rc.2
  Candidate: 1.28.1~rc.2
  Version table:
 *** 1.28.1~rc.2 100
        100 /var/lib/dpkg/status

I decided to uninstall and reinstall Syncthing.

When I get to the apt-get update stage, I again saw the same errors that show up in Software Updater:

sudo apt-get update Hit:1 Index of /ubuntu xenial InRelease Hit:2 Index of /ubuntu xenial-updates InRelease
Hit:3 Index of /ubuntu xenial-backports InRelease
Hit:4 Index of /ubuntu xenial InRelease
Hit:5 Index of /utappia/stable/ubuntu xenial InRelease
Hit:6 https://linux.teamviewer.com/deb stable InRelease
Hit:7 Index of /ubuntu xenial-security InRelease
Ign:9 http://packages.linuxmint.com sylvia InRelease
Hit:10 http://packages.linuxmint.com sylvia Release Err:8 https://apt.syncthing.net syncthing InRelease The following signatures were invalid: NODATA 3 NODATA 1 The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D26E6ED000654A3E Reading package lists… Done E: GPG error: https://apt.syncthing.net syncthing InRelease: The following signatures were invalid: NODATA 3 NODATA 1 The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY D26E6ED000654A3E

I seem to be getting into a deeper and deeper hole.

apt-update now gives:

E: Type ‘“deb’ is not known on line 1 in source list /etc/apt/sources.list.d/syncthing.list E: The list of sources could not be read.

Syncthing still appears to be up and running. If I take an entry and perform a ‘Re-scan’ it works and updates to the current time.

I’m still happy to take further guidance, please!