release: Expired key - "Google Cloud Packages Automatic Signing Key"

Just copy paste into terminal

sudo curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

Alright, so to correctly set this up for debian I’d suggest the following then:

1. curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor | sudo dd status=none of=/usr/share/keyrings/kubernetes-archive-keyring.gpg
2. echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
3. sudo apt update

Running the command from @mrajadurai2413 seems to work for my machine and solved the issues for missing public key for Kubernetes.

System: Ubuntu 20.04 Focal Fossa Kubernetes Version: 1.26

Error Message:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt kubernetes-xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05 W: Failed to fetch https://apt.kubernetes.io/dists/kubernetes-xenial/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05 W: Some index files failed to download. They have been ignored, or old ones used instead.

Original commands from @mrajadurai2413 to import the public GPG keys for Kubernetes from Google: sudo curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg

echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

After running the first set of commands, run commands below to update and review the gpg keys:

sudo apt update && sudo apt upgrade sudo apt-get update && sudo apt-get upgrade

Same as https://github.com/kubernetes/test-infra/issues/7505#issuecomment-378045292

There was a new key pushed, it may be all you need to do is update to use the new signing key

$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg -v -
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2018-04-01 [SCE] [expired: 2021-03-31]
      54A647F9048D5688D7DA2ABE6A030B21BA07F4FB
uid           Google Cloud Packages Automatic Signing Key <gc-team@google.com>
sig        6A030B21BA07F4FB 2018-04-01   [selfsig]
pub   rsa2048 2020-12-04 [SC] [expires: 2022-12-04]
      59FE0256827269DC81578F928B57C5C2836F4BEB
uid           gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sig        8B57C5C2836F4BEB 2020-12-04   [selfsig]
sub   rsa2048 2020-12-04 [E]
sig        8B57C5C2836F4BEB 2020-12-04   [keybind]

Something like this should work?

curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -

or

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 8B57C5C2836F4BEB

Having said that, the appropriate team internally is currently fielding a number of issues. I believe the new key may not have fully rolled out yet. If the above doesn’t work for you, please report back.

I will share a command that worked for me in Ubuntu 18.04

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

Source Known Issues Google Cloud

So, I tried to follow a simple instruction on how to install kubernetes using native package management for Debian-based distributions (my os version is Ubuntu 20.04) and get some of the errors mentioned above. To be precise, apt update output this lines:

Err:8 https://packages.cloud.google.com/apt kubernetes-xenial InRelease                          
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FEEA9169307EA071 NO_PUBKEY 8B57C5C2836F4BEB
...
Reading package lists... Done
W: GPG error: https://packages.cloud.google.com/apt kubernetes-xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FEEA9169307EA071 NO_PUBKEY 8B57C5C2836F4BEB
E: The repository 'https://apt.kubernetes.io kubernetes-xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

As were mentioned #1982 (comment), I tried to remove signed-by part (but in /etc/apt/sources.list.d/kubernetes.list) and added one of the missing key with apt-key and it worked. To summarize, the solution in my case was to change a little be the instruction mentioned above:

1. sudo apt-get update && sudo apt-get install -y apt-transport-https ca-certificates curl
2. echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
3. sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B57C5C2836F4BEB
4. sudo apt-get update && sudo apt-get install -y kubectl

I see a similar issue in Ubuntu 20.04.

apt-get update shows this error

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt cloud-sdk InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FEEA9169307EA071 NO_PUBKEY 8B57C5C2836F4BEB

Running the above two commands you’ve mentioned did not solve this. I can still see that Google Cloud Packages Automatic Signing Key is expired (on 2021-03-31) when I run apt-key list.

@RakhithaRR can you confirm that something like this works for you, or maybe provide an isolated reproducer:

FROM ubuntu:20.04

RUN apt-get update
RUN apt-get install -y curl gpg

RUN curl -fsSLo /usr/share/keyrings/kubernetes-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
RUN echo "deb [signed-by=/usr/share/keyrings/kubernetes-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list

RUN apt-get update
RUN apt-get install -y kubelet

This is still broken for people on at least CentOS 7. I dont think the priority should be downgraded. I dont know what the exact solution would be, but I dont think disabling a gpg check is the permanent solution.

I have the same version of Ubuntu as @narensrini-ds and the following commands has been working for me. The correct path for me is /usr/share/keyrings/kubernetes-archive-keyring.gpg

1. curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg ‘https://packages.cloud.google.com/apt/doc/apt-key.gpg’
2. echo “deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main” | sudo tee /etc/apt/sources.list.d/kubernetes.list
3. sudo apt update && sudo apt upgrade
4. sudo apt-get update && sudo apt-get upgrade

Thank you so much @narensrini-ds and @afolarin

OK. This was killing me for a while. I have to do this on Ubuntu 20.04

$> curl https://packages.cloud.google.com/apt/doc/apt-key.gpg -o /usr/share/keyrings/cloud.google.gpg

Try before this

$> apt-key del FEEA9169307EA071 && apt-key del 8B57C5C2836F4BEB

Same as kubernetes/test-infra#7505 (comment)

There was a new key pushed, it may be all you need to do is update to use the new signing key

$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg -v -
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2018-04-01 [SCE] [expired: 2021-03-31]
      54A647F9048D5688D7DA2ABE6A030B21BA07F4FB
uid           Google Cloud Packages Automatic Signing Key <gc-team@google.com>
sig        6A030B21BA07F4FB 2018-04-01   [selfsig]
pub   rsa2048 2020-12-04 [SC] [expires: 2022-12-04]
      59FE0256827269DC81578F928B57C5C2836F4BEB
uid           gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>
sig        8B57C5C2836F4BEB 2020-12-04   [selfsig]
sub   rsa2048 2020-12-04 [E]
sig        8B57C5C2836F4BEB 2020-12-04   [keybind]

Something like this should work?

curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -

or

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 8B57C5C2836F4BEB

Having said that, the appropriate team internally is currently fielding a number of issues. I believe the new key may not have fully rolled out yet. If the above doesn’t work for you, please report back.

I see a similar issue in Ubuntu 20.04.

apt-get update shows this error

An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt cloud-sdk InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FEEA9169307EA071 NO_PUBKEY 8B57C5C2836F4BEB

Running the above two commands you’ve mentioned did not solve this. I can still see that Google Cloud Packages Automatic Signing Key is expired (on 2021-03-31) when I run apt-key list.

@contributorpw already answered it and shared perfect workaround for me here: curl https://packages.cloud.google.com/apt/doc/apt-key.gpg -o /usr/share/keyrings/cloud.google.gpg

(the answer above with hearts on it, go add one if it works for you!)

/etc/apt/keyrings/kubernetes-archive-keyring.gpg or /usr/share/keyrings/kubernetes-archive-keyring.gpg

which is correct?

/sig release /priority critical-urgent

@jsoref looks like I stand corrected - the documentation I linked wasn’t the clearest.

https://wiki.debian.org/DebianRepository/UseThirdParty

“The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.”

Same issue on my machine while apt update

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.cloud.google.com/apt kubernetes-xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FEEA9169307EA071 NO_PUBKEY 8B57C5C2836F4BEB

/remove-priority critical-urgent /priority important-longterm

Downgrading priority. If we don’t hear back from the author of this issue I would recommend we close unless anyone has any concrete follow ups they want to hold open for.

It depends on your definition.

The second one assumes you’re the os vendor/distributor, which you probably aren’t.

The first one assumes you’re the owner of the machine.

Workaround to get apt-get update working

cat > gcloud.asc <<EOF
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking

xsBNBFrBaNsBCADrF18KCbsZlo4NjAvVecTBCnp6WcBQJ5oSh7+E98jX9YznUCrN
rgmeCcCMUvTDRDxfTaDJybaHugfba43nqhkbNpJ47YXsIa+YL6eEE9emSmQtjrSW
IiY+2YJYwsDgsgckF3duqkb02OdBQlh6IbHPoXB6H//b1PgZYsomB+841XW1LSJP
YlYbIrWfwDfQvtkFQI90r6NknVTQlpqQh5GLNWNYqRNrGQPmsB+NrUYrkl1nUt1L
RGu+rCe4bSaSmNbwKMQKkROE4kTiB72DPk7zH4Lm0uo0YFFWG4qsMIuqEihJ/9KN
X8GYBr+tWgyLooLlsdK3l+4dVqd8cjkJM1ExABEBAAHNQEdvb2dsZSBDbG91ZCBQ
YWNrYWdlcyBBdXRvbWF0aWMgU2lnbmluZyBLZXkgPGdjLXRlYW1AZ29vZ2xlLmNv
bT7CwHgEEwECACwFAlrBaNsJEGoDCyG6B/T7AhsPBQkFo5qABgsJCAcDAgYVCAIJ
CgsEFgIDAQAAJr4IAM5lgJ2CTkTRu2iw+tFwb90viLR6W0N1CiSPUwi1gjEKMr5r
0aimBi6FXiHTuX7RIldSNynkypkZrNAmTMM8SU+sri7R68CFTpSgAvW8qlnlv2iw
rEApd/UxxzjYaq8ANcpWAOpDsHeDGYLCEmXOhu8LmmpY4QqBuOCM40kuTDRd52PC
JE6b0V1t5zUqdKeKZCPQPhsS/9rdYP9yEEGdsx0V/Vt3C8hjv4Uwgl8Fa3s/4ag6
lgIf+4SlkBAdfl/MTuXu/aOhAWQih444igB+rvFaDYIhYosVhCxP4EUAfGZk+qfo
2mCY3w1pte31My+vVNceEZSUpMetSfwit3QA8EE=
=RwDt
-----END PGP ARMORED FILE-----
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking

xsBNBF/Jfl4BCADTPUXdkNu057X+P3STVxCzJpU2Mn+tUamKdSdVambGeYFINcp/
EGwNGhdb0a1BbHs1SWYZbzwh4d6+p3k4ABzVMO+RpMu/aBx9E5aOn5c8GzHjZ/VE
aheqLLhSUcSCzChSZcN5jz0hTGhmAGaviMt6RMzSfbIhZPj1kDzBiGd0Qwd/rOPn
Jr4taPruR3ecBjhHti1/BMGd/lj0F7zQnCjp7PrqgpEPBT8jo9wX2wvOyXswSI/G
sfbFiaOJfDnYengaEg8sF+u3WOs0Z20cSr6kS76KHpTfa3JjYsfHt8NDw8w4e3H8
PwQzNiRP9tXeMASKQz3emMj/ek6HxjihY9qFABEBAAHNumdMaW51eCBSYXB0dXJl
IEF1dG9tYXRpYyBTaWduaW5nIEtleSAoLy9kZXBvdC9nb29nbGUzL3Byb2R1Y3Rp
b24vYm9yZy9jbG91ZC1yYXB0dXJlL2tleXMvY2xvdWQtcmFwdHVyZS1wdWJrZXlz
L2Nsb3VkLXJhcHR1cmUtc2lnbmluZy1rZXktMjAyMC0xMi0wMy0xNl8wOF8wNS5w
dWIpIDxnbGludXgtdGVhbUBnb29nbGUuY29tPsLAaAQTAQgAHAUCX8l+XgkQi1fF
woNvS+sCGwMFCQPDCrACGQEAAEF6CACaekro6aUJJd3mVtrtLOOewV8et1jep5ew
mpOrew/pajRVBeIbV1awVn0/8EcenFejmP6WFcdCWouDVIS/QmRFQV9N6YXN8Piw
alrRV3bTKFBHkwa1cEH4AafCGo0cDvJb8N3JnM/Rmb1KSGKr7ZXpmkLtYVqr6Hgz
l+snrlH0Xwsl5r3SyvqBgvRYTQKZpKqmBEd1udieVoLSF988kKeNDjFa+Q1SjZPG
W+XukgE8kBUbSDx8Y8q6Cszh3VVY+5JUeqimRgJ2ADY2/3lEtAZOtmwcBlhY0cPW
Vqga14E7kTGSWKC6W96Nfy9K7L4Ypp8nTMErus181aqwwNfMqnpnzsBNBF/Jfl4B
CADDSh+KdBeNjIclVVnRKt0QT5593yF4WVZt/TgNuaEZ5vKknooVVIq+cJIfY/3l
Uqq8Te4dEjodtFyKe5Xuego6qjzs8TYFdCAHXpXRoUolT14m+qkJ8rhSrpN0TxIj
WJbJdm3NlrgTam5RKJw3ShypNUxyolnHelXxqyKDCkxBSDmR6xcdft3wdQl5IkIA
wxe6nywmSUtpndGLRJdJraJiaWF2IBjFNg3vTEYj4eoehZd4XrvEyLVrMbKZ5m6f
1o6QURuzSrUH9JT/ivZqCmhPposClXXX0bbi9K0Z/+uVyk6v76ms3O50rIq0L0Ye
hM8G++qmGO421+0qCLkdD5/jABEBAAHCwF8EGAEIABMFAl/Jfl4JEItXxcKDb0vr
AhsMAAAbGggAw7lhSWElZpGV1SI2b2K26PB93fVI1tQYV37WIElCJsajF+/ZDfJJ
2d6ncuQSleH5WRccc4hZfKwysA/epqrCnwc7yKsToZ4sw8xsJF1UtQ5ENtkdArVi
BJHS4Y2VZ5DEUmr5EghGtZFh9a6aLoeMVM/nrZCLstDVoPKEpLokHu/gebCwfT/n
9U1dolFIovg6eKACl5xOx+rzcAVp7R4P527jffudz3dKMdLhPrstG0w5YbyfPPwW
MOPp+kUF45eYdR7kKKk09VrJNkEGJ0KQQ6imqR1Tn0kyu4cvkfqnCUF0rrn7CdBq
LSCv1QRhgr6TChQf7ynWsPz5gGdVjh3tIw==
=IMml
-----END PGP ARMORED FILE-----
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking

xsBNBGA9EFkBCAC1ilzST0wns+uwZyEA5IVtYeyAuXTaQUEAd70SqIlQpDd4EyVi
x3SCanQIu8dG9Zq3+x28WBb2OuXP9oc06ybOWdu2m7N5PY0BUT4COA36JV/YrxmN
s+5/M+YnDHppv63jgRIOkzXzXNo6SwTsl2xG9fKB3TS0IMvBkWdw5PGrBM5GghRc
ecgoSAAwRbWJXORHGKVwlV6tOxQZ/xqA08hPJneMfsMFPOXsitgGRHoXjlUWLVeJ
70mmIYsC/pBglIwCzmdD8Ee39MrlSXbuXVQiz38iHfnvXYpLEmgNXKzI0DH9tKg8
323kALzqaJlLFOLJm/uVJXRUEfKS3LhVZQMzABEBAAHNUVJhcHR1cmUgQXV0b21h
dGljIFNpZ25pbmcgS2V5IChjbG91ZC1yYXB0dXJlLXNpZ25pbmcta2V5LTIwMjEt
MDMtMDEtMDhfMDFfMDkucHViKcLAaAQTAQgAHAUCYD0QWQkQ/uqRaTB+oHECGwMF
CQPDCrACGQEAAHtlCACxSWMp3yRcLmsHhxGDt59nhSNXhouWiNePSMe5vETQA/lh
ip9Zx/NPRCa4q5jpIDBlEYOg67YanztcjSWGSI35Xblq43H4uLSxh4PtKzZMo+Uj
8n2VNHOZXBdGcsODcU3ynF64r7eTQevUe2aU0KN2o656O3HrE4itOVKYwnnkmNsk
G45b9b7DJnsQ6WPszUc8lNhsa2gBI6vfLl68vjj7PlWw030BM/RoMEPpoOApohHo
sfnNhxJmE1AxwBkMEzyo2kZhPZGh85LDnDbAvjSFKqYSPReKmRFjLlo3DPVHZ/de
Qn6noHbgUChLo21FefhlZO6tysrb283MWMIyY/YSzsBNBGA9EFkBCADcdO/Aw1qu
dZORZCNLz3vTiQSFcUFYyScfJJnwUsg8fy0kgg9olFY0GK5icT6n/shc1RlIpuqr
OQYBZgtK3dSZfOAXE2N20HUvC+nrKKuXXX+jcM/X1kHxwX5tG6fB1fyNH0p/Qqsz
EfYRHJu0Y4PonTYIslITnEzlN4hUN6/mx1+mWPl4P4R7/h6+p7Q2jtaClEtddF0e
eOf16Ma5S8fff80uZCLJoVu3lOXCT22oCf7qmH2XddmqGisUScqwmbmuv30tdQed
n+8njKo2pfpVF1Oa67CWRXdKTknuZybxI9Ipcivy8CISL2Do0uzij7SR7keVf7G1
Q3K3iJ0wn6mDABEBAAHCwF8EGAEIABMFAmA9EFkJEP7qkWkwfqBxAhsMAAA/3Af9
FJ2hEp2144fzgtNWHOVFv27hsrO7wYFZwoic9lHSl4iEw8mJc/3kEXdg9Vf9m1zb
G/kZ6slmzpfv7zDAdN3h3HT0B1yrb3xXzRX0zhOYAbQSUnc6DemhDZoDWt/wVceK
fzvebB9VTDzRBUVzxCduvY6ij0p2APZpnTrznvCPoCHkfzBMC3Zyk1FueiPTPoP1
9M0BProMy8qDVSkFr0uX3PM54hQN6mGRQg5HVVBxUNaMnn2yOQcxbQ/T/dKlojdp
RmvpGyYjfrvyExE8owYn8L7ly2N76GcY6kiN1CmTnCgdrbU0SPacm7XbxTYlQHwJ
CEa9Hf4/nuiBaxwXKuc/yw==
=F1A5
-----END PGP ARMORED FILE-----
EOF
gpg --dearmor gcloud.asc
cp gcloud.asc.gpg /usr/share/keyrings/cloud.google.gpg
cp gcloud.asc.gpg /etc/apt/trusted.gpg.d/cloud.google.gpg

apt-get update

Obviously, you shouldn't trust the contents of a random person

Search for keys: https://keyserver.ubuntu.com/pks/lookup?search=0xFEEA9169307EA071&fingerprint=on&op=index Retrieve: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7f92e05b31093bef5a3c2d38feea9169307ea071

Search for keys: https://keyserver.ubuntu.com/pks/lookup?search=0x8B57C5C2836F4BEB&fingerprint=on&op=index Retrieve: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x59fe0256827269dc81578f928b57c5c2836f4beb

The first key is the expired key, I don’t remember its index, but it’s expired, so unless your clock is wrong, it won’t be trusted, and Google isn’t signing with it, so it still won’t matter.

https://cloud.google.com/compute/docs/troubleshooting/known-issues#keyexpired should probably be shared somewhere (perhaps the kubernetes.io install docs?) but I don’t think there’s anything else further to do here.

The keys have been updated, yum continues to have problematic behavior here but the workaround is published in the link above.

If you read the latest version of the man page, instead of expecting the upstream to backport deprecation messages to the version you’re using, you’ll see that the tool you’re using is deprecated: https://manpages.debian.org/experimental/apt/apt-key.8.en.html

Technically a given version of a platform will generally support (to some limited definition of support) the tools it had when it shipped. That’s generally a promise not to break functionality in it. Practically, that means you can still use a given program, even if it’s a bad idea to do so.

What it doesn’t mean and isn’t a license to do is to tell others how they should work in the general case.

In the general case, you shouldn’t use that program as it’s deprecated because it’s fundamentally broken.

I think trusted.gpg is not recommended due to global trust of keys under that keyring by apt opening a security issue. But it is now recommended to use separate keyrings under trusted.gpg.d

See

https://itsfoss.com/apt-key-deprecated/

ed. don’t use /etc/apt/trusted.gpg.d use /usr/share/keyrings

To make this work under Debian 5.10.162-1 I adjusted the keyring directories:

1.sudo curl -fsSLo /etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg 2.echo "deb [signed-by=/etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list 3.sudo apt update

Seems this is outdated, see below for the correct way of doing this.

https://cloud.google.com/compute/docs/troubleshooting/known-issues#ubuntu-systems

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

this works for me

Another reason for getting NO_PUBKEY on apt-get update is when the GPG key file is not world-readable - easy to end up like this by accident with tight umask defaults. And if you are wondering (as I was) why it needs to be world-readable even when apt runs as root - it is because apt switches to _apt user for many operations that don’t require privilege (see here).

A simple chmod o+r <keyfile> fixes NO_PUBKEY in this particular case.

Folks, the Kubernetes project does not manage these keys, nor does the team that voluntarily continues to publish these packages until the project moves to community infrastructure. https://github.com/kubernetes/release/issues/913 seems to be the current tracking issue for this.

per https://cloud.google.com/compute/docs/troubleshooting/known-issues#keyexpired the recommendation is to disable GPG repo (not package) check in RPM.

To fix this, disable repository GPG key checking in the yum repo configuration by setting repo_gpgcheck=0. In supported Compute Engine base images this setting might be found in /etc/yum.repos.d/google-cloud.repo file. However, your VM can have this set in different repository configuration files or automation tools.

Yum repositories do not usually use GPG keys for repository validation. Instead, the https endpoint is trusted.

Yep, this seems to be working for me:

sudo curl https://packages.cloud.google.com/apt/doc/apt-key.gpg --output /etc/apt/trusted.gpg.d/k8s-apt-key.gpg # This line was apt-key
sudo apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main" -y
sudo apt update
sudo apt install kubeadm kubelet kubectl -y || { echo 'Failed to install kubeadm kubelet kubectl. Please retry' ; exit 1; }

Note that I had to use /etc/apt/trusted.gpg.d/k8s-apt-key.gpg and not /etc/apt/trusted.gpg/k8s-apt-key.gpg. The folder /etc/apt/trusted.gpg didn’t exist on my system. This is part of a larger bash script that installs K8s on fresh systems.

The problem with just adding the key is that you’ll still get this: https://github.com/kubernetes/release/issues/1982#issuecomment-826582877

because the odds are tat your repository has pinned the key:

/etc/apt/sources.list.d/google-cloud-sdk.list:deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main

1. Someone (possibly me) needs to file a bug (and possibly a patch) to apt to change the error message:

   -The following signatures couldn't be verified because the public key is not available
   +The following signatures couldn't be verified because the public key does not match the keys listed in {file}
   

2. Everyone else just needs to either edit the /etc/apt/sources.list.d/google-cloud-sdk.list file to change the signed-by field (or remove it), or replace the contents of that file w/ the updated value

3. If at all possible, someone from google should provide a way to upgrade that file.