Can't upgrade Jenkins on Debian11, the public key is not available: NO_PUBKEY FCEF32E745F2C3D5

Question

I try to upgrade jenkins.

I use the new way to use gpg keys:

wget https://pkg.jenkins.io/debian-stable/jenkins.io.key 
gpg --dearmor jenkins.io.key
mv jenkins.io.key.gpg /usr/share/keyrings/jenkins-keyring.asc

cat /etc/apt/sources.list.d/jenkins.list

deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/

apt-key:

apt-key list | grep -i jenkins # nothing

# file /usr/share/keyrings/jenkins-keyring.asc
/usr/share/keyrings/jenkins-keyring.asc: PGP/GPG key public ring (v4) created Mon Mar 30 15:10:17 2020 RSA (Encrypt or Sign) 4096 bits MPI=0x99a14538d6e6150d...

But when I run apt update:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.jenkins.io/debian-stable binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5
W: Failed to fetch https://pkg.jenkins.io/debian-stable/binary/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5
W: Some index files failed to download. They have been ignored, or old ones used instead.

What's wrong?

Answer 1

Repository signing keys were changed.

Beginning March 28, 2023, the Jenkins weekly releases will use new repository signing keys for the Linux installation packages. The same change will be made in Jenkins LTS releases beginning April 5, 2023. Administrators of Linux systems must install the new signing keys on their Linux servers before installing Jenkins Jenkins weekly 2.397 or Jenkins LTS 2.387.2.

https://www.jenkins.io/blog/2023/03/27/repository-signing-keys-changing/

Install the new signing keys, and wait for updating repository signed by new key until 5 April.

Answer 2

This is not a problem on your end. That key has expired.

$ gpg --import jenkins.io.key 
gpg: key FCEF32E745F2C3D5: public key "Jenkins Project <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --fingerprint FCEF32E745F2C3D5
pub   rsa4096 2020-03-30 [SC] [expired: 2023-03-30]
      62A9 756B FD78 0C37 7CF2  4BA8 FCEF 32E7 45F2 C3D5
uid           [ expired] Jenkins Project <[email protected]>

You could email the address attached to the key to inform them about it, or wait for them to notice it and upload an updated key.

---

While what I said is true on Debian 11 (bullseye), I'm getting a different error than you. My error says:

W: GPG error: ... EXPKEYSIG FCEF32E745F2C3D5

Yours says:

... GPG error: ... NO_PUBKEY FCEF32E745F2C3D5

That plus a few other small textual differences between our outputs makes me think you are on an older version of debian. I'm able to get the same output on buster, so is it possible you are running stretch (deb 9)? If you are running stretch, then you may need to resort to apt-key add jenkins.io.key (though you'll still get the EXPKEYSIG until jenkins updates).