Ever bugged by Ubuntu GPG error during updates?

Ubuntu lets you define several software repos in individual files under the /etc/apt/sources.list.d directory. Likewise, one may create a file (e.g varnish-cache.list) with the following content to add the Varnish software repo:

deb https://repo.varnish-cache.org/ubuntu/ trusty varnish-4.1


Upon executing apt-get update Ubuntu will update the software repository lists including that of Varnish. One hiccup that may occur during the update is an error that complains as follows:

W: GPG error: https://repo.varnish-cache.org trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 60E7C096C4DEFFEB


The error says that GPG cannot find the public key “60E7C096C4DEFFEB”.

Public key cryptography is based on pairs of keys, a public key and a private key. The public key is given out to the world; the private key must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It's also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. Anyone who doesn't have the private key can't forge such a signature.
-- Description, courtesy of debian.org

GPG is used to sign packages found on the software repository lists. A private key is used in the signing process. A public key helps to verify whether the package requested has been signed by the corresponding private key. Hence, the public key of Varnish helps to make sure that the requested package is signed by Varnish itself and not someone else. This establishes authenticity.

Apt-key is a utility that retrieves a public key from a keyserver. We, therefore, request the public key of Varnish software as follows:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60E7C096C4DEFFEB


The command produces the following result:

gpg: requesting key C4DEFFEB from hkp server keyserver.ubuntu.com
gpg: key C4DEFFEB: public key "varnish-cache.org repository key <sysadmin@varnish-software.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


The public key is imported and will be used for signature verification during updates.