How to solve “The following packages cannot be authenticated”

Users of Debian’s testing or unstable distributions may be noticing messages from apt saying things like:

WARNING: The following packages cannot be authenticated!
  foo bar baz
Install these packages without verification [y/N]?

I noticed today that google doesn’t turn up good hits for the fix. The fix is really simple:

apt-get install debian-archive-keyring
apt-get update

That’s it. You now have secure packages from Debian. Nice, eh?

36 thoughts on “How to solve “The following packages cannot be authenticated”

  1. Ari Pollak says:

    Are you sure? The third Google hit for “apt the following packages could not be authenticated” turned up this as the third hit: http://wiki.debian.org/SecureApt

    1. John Goerzen says:

      My search term was:

      apt-get “packages could not be authenticated”

      (With that message in quotes, just like I’ve typed it)

      Indeed, the Wiki page doesn’t contain the relevant error message.

      However, that looks like a very informative page. I’m glad you sent the link — hopefully if anyone finds this page with Google, they can follow it to the wiki. And it probably wouldn’t hurt to add the warning message to the wiki page.

      1. Anonymous says:

        Perhaps because the error message is “cannot be authenticated”, not “could not be authenticated”?

  2. Brian Detweiler says:

    First hit on Google turns up this simple solution. Thanks dude!

  3. Hideo "Frank" Akino says:

    Thanks! It worked for me.

  4. Trevor says:

    Yes, thanks!
    I just needed to run apt-get update, and then it worked.

  5. Dustin says:

    Awesome, a fix :) Seems this page is turning up at around secondish on google as well, bravo.

  6. Anonymous says:

    Thank you!!! It took several wrong google hits before I found your page. In most of the pages I saw the person was just ignoring it and saying Yes anyway! I am very glad you posted an easy fix! Works great!! Thanks again!

  7. Scott says:

    Thank You!

  8. Bhasker C V says:

    open /etc/apt/apt.conf and add this line
    APT::Get::AllowUnauthenticated 1 ;

    1. Please don’t allow unauthenticated packages. that defeats the purpose of signed apt repositories entirely.

      This is a feature a long time in coming, and it’s a good one in today’s untrustworthy network. disabling it is a bad idea.

      1. Anonymous says:

        But it’s fundamentally broken – you have to upgrade the keys before upgrading from the archive, and the keys are frequently out of date.. eg. from today:

        # apt-get install debian-keyring debian-archive-keyring
        Reading package lists… Done
        Building dependency tree… Done
        debian-keyring is already the newest version.
        debian-archive-keyring is already the newest version.
        0 upgraded, 0 newly installed, 0 to remove and 146 not upgraded.

        # apt-get upgrade
        Reading package lists… Done
        Building dependency tree… Done
        The following packages will be upgraded:
        adduser apt apt-utils base-files bash bsdmainutils bsdutils busybox
        console-common console-data coreutils cron dash debconf debconf-i18n

        WARNING: The following packages cannot be authenticated!
        base-files debianutils bash bsdutils libc6 libc6-xen tzdata libsepol1
        libselinux1 coreutils dpkg e2fslibs e2fsprogs gzip hostname libdb4.3
        libpam-runtime libpam0g libpam-modules login mount ncurses-bin perl-modules

        The keys are out of date for about 80% of the downloaded packages, including important ones like libc6 – basically all that implied security does nothing because you *must* allow unsigned installs to be able to upgrade.

        1. Progfou says:

          You have to “apt-get update” before “apt-get upgrade” !

          When “apt-get instal …” tells you have the last version installed, it’s from its own knowledge of what the last version is. And this “knowledge” has to be updated using “apt-get update”.

        2. If by mistake you typed
          etch updates/main updates/contrib updates/non-free
          instead of
          etch/updates main contrib non-free
          you will get ‘The following packages cannot be authenticated!’ because apt will failed to fetch Release.gpg

  9. Dusty Wilson says:

    If this doesn’t work for you, try this command instead:

    apt-key update

    1. Ian Campbell says:

      I have now tried all the above and had no luck. I have a fresh install of Etch using the latest weekly release. apt-get update shows:
      GPG error: http://security.debian.org etch/updates Release: The following signatures were invalid: BADSIG A70DAF536070D3A1 Debian Archive Automatic Signing Key (4.0/etch)
      I tried apt-get install debian-archive-keyring
      That said I had the latest version.
      apt-key update told me it had processed 5 and 5 were unchanged.
      In desperation I added

      APT::Get::AllowUnauthenticated 1 ;
      to my /etc/apt/apt.conf but it still has the gpg error when I run apt-get update.

      Any further ideas would be gratefully received. I am totally out of them.

  10. Does anyone here know how to translate rpm packages to deb ones?

    1. John Goerzen says:

      Look at the alien package.

  11. M Hasan says:

    The following link solved my problem.u can try if keyring install dont work.
    http://www.debian-administration.org/articles/174

  12. Donnie says:

    Thanks for the tip, dude. Worked for me.

  13. al37919 says:

    one more possibility: check that the system time is correct

  14. Slava says:

    for me worked only

    *apt-key update*

  15. {void} says:

    If you’ve disabled authentication in apt[itude] settings, you’ll likewise get this error even if authentication is otherwise possible/working (makes a certain degree of sense; a kind of reminder that authentication isn’t “functional”, but it would be better if it simply said “WARNING: authentication disabled”).

    Regardless, to “fix” this, you need to search for auth and trust in /etc/apt. You can fetch a list of files with auth or trust keywords in them using the command:
    grep -iE ‘auth|trust’ -rl /etc/apt/

    Check the files for proper settings.

    I install all my computers using FAI, and FAI sets this by default (unless you tweak it so it doesn’t). Presumably, this is to prevent install problems with badly implemented local debian repositories. Our repositories are properly implemented (even our custom repository), so we keep auth enabled.

    I don’t know if this is the case with Debian, or just Ubuntu, but the fix is the same in any case.

  16. Peter says:

    Thank you, thank you, thank you! :)

  17. Andrew says:

    thanks. this worked perfectly! :)

  18. Ming says:

    Thx, bro!

  19. Steffen says:

    Thx!

  20. Andy says:

    I had to update the keyring and tell it to install the unverified keyring package. Then everything worked. I could not find a solution that didn’t require the installation of at least one unverified package.

  21. vileda says:

    thanks!

  22. Paolo says:

    This did not happen in previousnreleases. A major change like this, that brings thousands of users like crazy thinking “why is Linux becoming so fond of labyrinthine solutions to simple questions”, should prompt useful practical info to the user.

  23. Dan says:

    When I run “apt-get install debian-archive-keyring” I get that error itself,

    “WARNING: The following packages cannot be authenticated!
    debian-archive-keyring”

    What now?

    1. jgoerzen says:

      Add –allow-unauthenticated to apt-get

  24. Al says:

    Easiest fix ever!

  25. wtf says:

    Also downloaded the key manually and installed it. Still doesn’t work. Debian has been fucking pissing me off lately. I’m done with it.
    https://ftp-master.debian.org/keys/archive-key-7.0.asc

  26. dindoun says:

    hi
    had the same problem with a usb installation
    solutions i tried :
    install all the keyring : for example apt-get install gnome-keyring debian-keyring debian-ports-archive-keyring debian-archive-keyring
    don’t forget
    apt-key update and apt-get update

    but the solution came from here : https://debian-administration.org/article/174/Using_the_GPG_signature_checking_with_apt_0.6
    i had to install gnupg

    Finally :

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.