ARTIFACTORY: Resolving "The following signatures couldn't be verified" or "Error: GPG check FAILED" due to GPG key update

ARTIFACTORY: Resolving "The following signatures couldn't be verified" or "Error: GPG check FAILED" due to GPG key update
AuthorFullName__c
Nathan Amiel
articleNumber
000006340
FirstPublishedDate
2025-01-23T11:54:12Z
lastModifiedDate
2025-07-20
VersionNumber
10

Introduction

Effective January 19, 2025, JFrog has updated its primary GPG (GNU Privacy Guard) key used for signing all JFrog binaries, this change will also affect (JFrog CLI v2). 

The new key is a 4096-bit RSA key, which provides improved security compared to the previous 1024-bit secondary GPG key.

From this date onward, the Debian signed repository (artifactory-pro-debs) will also be signed using the new primary GPG key. Consequently, installation commands have been revised to reflect this update.


Issue 
If you attempt to run the command to install Artifactory:
apt-get update && sudo apt-get install jfrog-artifactory-pro=<VERSION>

 

You may encounter the following error message:
Err:8 https://releases.jfrog.io/artifactory/artifactory-pro-debs focal InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE70421F135DCA68
Reading package lists... Done
W: GPG error: https://releases.jfrog.io/artifactory/artifactory-pro-debs focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DE70421F135DCA68
E: The repository 'https://releases.jfrog.io/artifactory/artifactory-pro-debs focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
OR 
Get:5 https://releases.jfrog.io/artifactory/artifactory-debs bionic InRelease [2936 B]
Err:5 https://releases.jfrog.io/artifactory/artifactory-debs bionic InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B219DCCD7639232
Reading package lists... Done

W: GPG error: https://releases.jfrog.io/artifactory/artifactory-debs bionic InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B219DCCD7639232
E: The repository 'https://releases.jfrog.io/artifactory/artifactory-debs bionic InRelease' is not signed.

 

If you attempt to run the command to install JFrogCLI:
yum install -y jfrog-cli-v2-jf

 

You may encounter the following error message:
Error: GPG check FAILED
This error occurs because the public key required to verify the repository signatures is not available on your system.

 


Resolution  

Artifactory:

To resolve the error for Artifactory, follow the steps below to download and import the new GPG keys:

Step 1: Download the Primary GPG Key

Run the following command to download the new primary GPG key:
curl -L https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/primary/public -o jfrog_primary_public_key.pub

 

Step 2: Download the Secondary GPG Key

Then, download the secondary GPG key with the command:
curl -L https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/secondary/public -o jfrog_secondary_public_key.pub

 

Step 3: Import the GPG Keys

Finally, import both keys into your GPG keyring using the command:
gpg --import jfrog_primary_public_key.pub jfrog_secondary_public_key.pub

 

Step 4: Add the Key to the APT Trusted Keys

To ensure that apt can recognize the key, you might want to add it directly to the APT's trusted keys:
# Note: Replace "primary 6B219DCCD7639232" with "secondary DE70421F135DCA68" if you need to add that as well
gpg --export --armor 6B219DCCD7639232 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/jfrog.gpg

 OR you can run the following command downloads and adds the key in one step, meaning you don't retain a local copy of the key file. 
wget -qO - 
https://releases.jfrog.io/artifactory/api/v2/repositories/artifactory-pro-debs/keyPairs/primary/public | sudo apt-key add -;

 

JFrog CLI:

To resolve the error for JFrog CLI, follow the steps below to download and import the new GPG keys:

Debian:
# Download and save the JFrog GPG key to a keyring file

wget -qO - https://releases.jfrog.io/artifactory/api/v2/repositories/jfrog-debs/keyPairs/primary/public | sudo gpg --dearmor -o /usr/share/keyrings/jfrog.gpg

 

RPM:
# Import GPG keys for verifying packages 

# Note: Two keys are imported for backward compatibility with older versions 

rpm --import https://releases.jfrog.io/artifactory/api/v2/repositories/jfrog-rpms/keyPairs/primary/public && 

rpm --import https://releases.jfrog.io/artifactory/api/v2/repositories/jfrog-rpms/keyPairs/secondary/public &&
After completing these steps, you should be able to update your package index and install the JFrog Artifactory Pro without encountering signature verification errors.

For more information, please refer to our documentation: JFrog Installation Setup Documentation - Verifying Signatures of JFrog Binaries.