ChromeOS Linux: 'W: GPG error' on apt update — fix 2025
When ChromeOS Linux container's apt update fails with missing GPG keys, it's usually because the container's keyring is out of sync with the repos. Here's the fix.
When this error hits
You're running ChromeOS's Linux container (Crostini) — the one you enable in Settings → Developers. You open the terminal, type sudo apt update, and instead of the usual package list refresh, you get something like this:
W: GPG error: https://dl.google.com/linux/chrome/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
E: The repository 'https://dl.google.com/linux/chrome/deb stable InRelease' is not signed.This happens most often after a ChromeOS version update (e.g., 120 → 121) or when the container's been idle for a few months. The keyring gets stale. Google's repo keys expire, or the container's trusted key database drifts out of sync.
Root cause
What's actually happening here is that the Linux container ships with a pre-loaded keyring for the default Google repos (like google-chrome and google-cloud-sdk). But Chromebook system updates can reset or modify parts of the container's /etc/apt/trusted.gpg.d/ directory — or the keys inside it expire. The error NO_PUBKEY means the container's GPG keyring doesn't have that key ID, so it refuses to trust the repo's Release file.
The reason sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys often fails is that the container's network setup in Crostini can be picky about external key servers. A more reliable fix is to grab the key directly from the repo's own .asc file.
The fix
- Identify the repo causing the error.
The error message shows the repo URL and the missing key ID. In the example above,78BD65473CB3BD13is the key ID, and the repo ishttps://dl.google.com/linux/chrome/deb stable InRelease. - Download the GPG key for that repo.
Most Google repos serve their public key athttps://dl.google.com/linux/linux_signing_key.pub. Run:
If the repo is something else (e.g.,curl -fsSL https://dl.google.com/linux/linux_signing_key.pub | sudo tee /etc/apt/trusted.gpg.d/google.gpg > /dev/nullpackages.microsoft.com), find the.ascor.gpgURL from their docs. For Microsoft repos, it's usuallyhttps://packages.microsoft.com/keys/microsoft.asc. - Update the apt cache.
Runsudo apt updateagain. The GPG error should be gone. If you get a new error about a different key, repeat step 2 for that key. - Optional: Clean up old expired keys.
If you see warnings about expired keys (but not errors), you can remove them. List keys withapt-key list(deprecated but works) or check/etc/apt/trusted.gpg.d/. Delete the offending file withsudo rm /etc/apt/trusted.gpg.d/old-key.gpg. Be careful — only remove keys you're sure are obsolete.
If it still fails
Three things to check:
- Network connectivity in the container.
The container might have lost DNS or HTTP access. Runping 8.8.8.8andping google.com. If the first succeeds but the second doesn't, edit/etc/resolv.confand addnameserver 8.8.8.8temporarily. - Corrupted apt lists.
sudo rm -rf /var/lib/apt/lists/*thensudo apt updateagain. This clears the cached package lists and forces a fresh download. - Container re-creation as last resort.
Open ChromeOS Settings → Developers → Linux development environment → Remove. Then set it up again. This nukes all your installed packages, so only do this if you have nothing to lose or your data is backed up. The container rebuilds fresh with current keys.
Skip faffing about with gpg --keyserver or manually importing keys from random sources. Directly pulling the key from the repo's official URL is faster and more trustworthy. I've seen this exact fix work on ChromeOS 118 through 125 — it's been consistent.
Was this solution helpful?