Technical Analysis and Solutions for Public Key Errors During Docker Installation on Ubuntu

Keywords: Docker | Ubuntu | Public Key Error | GPG | APT Security

Abstract: This paper provides an in-depth analysis of public key verification errors encountered during Docker installation on Ubuntu systems. By examining error messages such as "NO_PUBKEY 7EA0A9C3F273FCD8" and "The repository is not signed," the article explores the security mechanisms of the APT package management system and GPG key verification principles. Based on Docker's official documentation and community best practices, multiple solutions are presented, including using the gpg --dearmor command for key processing, setting correct file permissions, and updating repository configurations. The article also discusses the deprecation of the apt-key command and provides complete installation steps compatible with different Ubuntu versions.

When installing Docker on Ubuntu systems, users frequently encounter public key verification errors, typically manifested as the following error messages:

Err:2 https://download.docker.com/linux/ubuntu bionic InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
E: The repository 'https://download.docker.com/linux/ubuntu bionic InRelease' is not signed.

Error Cause Analysis

The root cause of this error lies in the APT package management system's inability to verify the integrity of the Docker repository. Ubuntu's APT uses GPG (GNU Privacy Guard) keys to verify package signatures, ensuring the trustworthiness and integrity of software sources. When the system lacks the corresponding public key, it refuses to install or update packages from that repository.

Specifically, the "NO_PUBKEY 7EA0A9C3F273FCD8" in the error message indicates that the system is missing this particular public key used by Docker. The public key ID 7EA0A9C3F273FCD8 is the digital signature key Docker Inc. uses to sign its Ubuntu packages.

Traditional Solutions and Their Limitations

Historically, the standard approach to solving such problems was to use the apt-key command to add the public key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

However, this method now presents several issues. First, the apt-key command has been marked as deprecated in newer Ubuntu versions, with the system displaying a warning message:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Second, in certain network environments, directly using the apt-key adv --keyserver command may fail, as seen in the user's "gpg: keyserver receive failed: No keyserver available" error.

Modern Solution

According to the latest recommendations from Docker's official documentation, the correct solution is to use the gpg --dearmor command to process the key file:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

This command execution can be divided into three steps:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg: Downloads the raw GPG public key from Docker's official website
gpg --dearmor: Converts the ASCII-formatted GPG key to binary format, which is recognizable by the APT system
-o /usr/share/keyrings/docker-archive-keyring.gpg: Saves the converted key to the system's standard location

Importance of Permission Settings

In some cases, even after correctly downloading and saving the key file, permission issues may still arise. The key file requires appropriate read permissions to be accessed by the APT system:

sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg

This command ensures that all users can read the key file. Permission problems typically stem from incorrect umask settings or file ownership issues.

Complete Installation Process

Based on the above analysis, the complete Docker installation process should include the following steps:

# 1. Download and process Docker GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

# 2. Set correct file permissions
sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg

# 3. Add Docker repository
echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# 4. Update package lists
sudo apt-get update

# 5. Install Docker Engine
sudo apt-get --assume-yes install docker-ce docker-ce-cli containerd.io

The key improvement in this process is explicitly specifying the signature key path in the repository definition: signed-by=/usr/share/keyrings/docker-archive-keyring.gpg. This ensures the APT system knows which key to use for verifying package signatures.

Technical Principles Deep Dive

Understanding the technical background of this issue requires knowledge of several key concepts:

GPG Digital Signatures: Docker signs its packages with a private key, and users verify the signatures with the corresponding public key. This ensures package integrity and source authenticity.
APT Security Model: Ubuntu's APT system is designed to require digital signature verification for all repositories. This is an important security measure against man-in-the-middle attacks and software tampering.
Keyring Management: Modern Linux systems store GPG keys in specific directories, such as /usr/share/keyrings/ and /etc/apt/trusted.gpg.d/, rather than relying on a single global keyring.

When users encounter public key errors, there is essentially a break in APT's security verification chain. The system cannot find the corresponding public key to verify the repository's signature and therefore refuses to proceed.

Compatibility Considerations

It's important to note that different Ubuntu versions may require slightly different approaches:

Ubuntu 16.04 and earlier: May still require using the apt-key command
Ubuntu 18.04 and later: Recommended to use the gpg --dearmor method
Ubuntu 20.04 and later: apt-key has been officially deprecated, requiring the new key management method

Additionally, if the system uses a different architecture (such as ARM64), the arch parameter in the repository URL needs to be adjusted accordingly.

Troubleshooting Recommendations

If problems persist after following the above steps, consider the following troubleshooting steps:

Verify network connectivity to ensure access to https://download.docker.com
Check that the lsb_release -cs command correctly identifies the Ubuntu version codename
Confirm that the /usr/share/keyrings/docker-archive-keyring.gpg file exists and has correct permissions
Check the contents of the /etc/apt/sources.list.d/docker.list file
Try clearing APT cache: sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*

By systematically addressing public key errors, users can not only successfully install Docker but also deepen their understanding of Linux system security mechanisms. This understanding is crucial for maintaining the stability and security of production environments.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.