I recently updated to Ubuntu 24.04 over an existing Plex install, then added the file /etc/apt/sources.list.d/plexmediaserver.sources .
On trying sudo apt update, terminal returns
“Err:1 https://downloads.plex.tv/repo/deb public InRelease The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 97203C7B3ADCA79D”
“W: GPG error: https://downloads.plex.tv/repo/deb public InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 97203C7B3ADCA79D
E: The repository ‘https://downloads.plex.tv/repo/deb public InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
N: Missing Signed-By in the sources.list(5) entry for ‘https://downloads.plex.tv/repo/deb’”
I tried adding the public key from the guide https://support.plex.tv/articles/235974187-enable-repository-updating-for-supported-linux-server-distributions/ without much luck.
Any tips to add the public key manually in Ubuntu 24.04? Looks like its done differently now.
Engineering is trying to fix it.
There is a new certificate. The installer knows this.
The new build system is unable to sign the package correctly with that new key.
This is what Engineering is trying to fix.
If you want to install the key yourself (try it)
Thanks ChuckPa,
I gave it a go, threw an error.
“The information in this key has not yet been verified”
Ill try some more later and keep monitoring this thread.
I presume you did the apt key add ? I’ve not done it in a while,
(none of my installations stay around long enough haha)
Apparently its deprecated in 24.04, Ive trawled a few threads on it and my head hurts lol
I read https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
Looks like its an ascii armoured key so I ran
wget -O- https://downloads.plex.tv/plex-keys/PlexSign.key | gpg --dearmor | sudo tee /usr/share/keyrings/plexmediaserver.gpg
Terminal returned a page of symbols but it didn’t fix the issue, maybe I missed something in the code.
I found ubuntu - Running “apt-get update” returns an error “apt-secure(8)” - Super User then resorted to the files GUI. Opened:
/etc/apt/sources.list
which opened the Software & Updates window with an “Import key file” button. The key file was accepted. 
This is different to the system trust window that opens if I double click the downloaded PlexSign.key, where trying to import the key was unsuccessful.
Ran sudo apt update, now I get
W: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details
Looks like the key is stored now, I’ll keep trying until there’s a Plex update to see if it works.
You should also, unless they’ve removed it completely, be able to use apt-key to import the key.
From there, apt will use that key when downloading packages.
Do remember, engineering is having trouble getting packages signed properly during the build.
For what its worth, this command appeared to work for me, and now I don’t get the legacy keyring warning:
wget https://downloads.plex.tv/plex-keys/PlexSign.key -O /usr/share/keyrings/plex-archive-keyring.key
I haven’t been able to apt-update for a few months now. I’m getting this when I try:
Err:5 https://downloads.plex.tv/repo/deb public InRelease
The following signatures were invalid: ERRSIG 97203C7B3ADCA79D
I don’t think it’s on my side since when I try to verify it manually I get the same error:
$ cd /tmp
$ curl -s https://downloads.plex.tv/plex-keys/PlexSign.key | gpg -o plexkey.gpg --dearmor
$ curl -s https://downloads.plex.tv/repo/deb/dists/public/InRelease | gpgv --verbose --keyring ./plexkey.gpg
gpgv: Signature made Thu Oct 24 09:35:30 2024 -07:00
gpgv: using RSA key 97203C7B3ADCA79D
gpgv: Can't check signature: Bad public key
Signing key on CD665CBA0E2F88B7373F7CB997203C7B3ADCA79D is not bound:
gpgv: error: No binding signature at time 2024-10-24T16:35:30Z
gpgv: because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
When I try the same thing with debian’s keys:
$ curl -s https://ftp-master.debian.org/keys/archive-key-11.asc | gpg -o archive-key-11.gpg --dearmor
$ curl -s https://ftp-master.debian.org/keys/archive-key-12.asc | gpg -o archive-key-12.gpg --dearmor
$ curl -s https://deb.debian.org/debian/dists/testing/InRelease | gpgv --keyring ./archive-key-11.gpg --keyring ./archive-key-12.gpg InRelease-debian-testing
gpgv: Signature made Thu Nov 7 18:14:02 2024 -08:00
gpgv: using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpgv: Good signature from "Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>"
gpgv: Signature made Thu Nov 7 18:14:06 2024 -08:00
gpgv: using RSA key 4CB50190207B4758A3F73A796ED0E7B82643E131
gpgv: Good signature from "Debian Archive Automatic Signing Key (12/bookworm) <ftpmaster@debian.org>"
It looks like that last line of the error is the important one:
gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
Testing this further:
$ gpg -vv < archive-key-11.gpg 2>&1 | grep "digest algo"
digest algo 10, begin of digest 14 ae
digest algo 10, begin of digest 69 f8
digest algo 10, begin of digest 42 67
digest algo 10, begin of digest 37 c1
digest algo 10, begin of digest 1b 10
digest algo 10, begin of digest a3 9a
digest algo 10, begin of digest 34 89
digest algo 10, begin of digest 85 52
digest algo 10, begin of digest d5 61
digest algo 10, begin of digest 16 d2
digest algo 10, begin of digest a7 77
digest algo 10, begin of digest 58 e0
subpkt 32 len 563 (signature: v4, class 0x19, algo 1, digest algo 10)
$ gpg -vv < plexkey.gpg 2>&1 | grep "digest algo"
digest algo 2, begin of digest 90 2f
digest algo 2, begin of digest b5 3a
Debian’s (working) key uses digest algorithm 10 and Plex’s (failing) key uses digest algorithm 2. Checking against OpenPGP Hash Algorithms we can see that 10 is “SHA2-512” and 2 is “SHA-1”. That matches the error that gpgv is emitting.
Interestingly, the InRelease signature from Plex appears to be using SHA2-256:
$ curl -s https://downloads.plex.tv/repo/deb/dists/public/InRelease | gpg -vv 2>&1 | grep "digest algo"
digest algo 8, begin of digest d1 f9
I don’t actually know all that much about GPG but maybe just re-self-signing the key with SHA2-512 would make it work (without needing to create a brand new key)?
I’m getting the same error, has anyone been able to fix this yet?
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
