Sources list missing

Good afternoon I have just set up a new Pi4. Discovered that I had no /etc/apt/sources.list. So copied it from my Pi3. Then I get an error:
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E
and upgrade won’t proceed.

Suggestion please


This happens if you mix operating system versions; the cryptographic keys to verify signature on downloads differ between sources.list and the installed operating system configuration.

  • what operating system and version did you use to set up the new Pi 4?

  • what operating system and version did you use to set up the old Pi 3?

  • were there any files in /etc/apt/sources.list.d on the Pi 4? This directory adds to sources.list.

Thanks for replying.

On Pi4, I downloaded a new .img about a week ago. Uname shows:

Linux raspi4 5.4.51-v7l+ #1333 SMP Mon Aug 10 16:51:40 BST 2020 armv7l GNU/Linux

On Pi3, the system has been running for 4years or so, and now shows:
Linux raspp1 5.4.72-v7+ #1356 SMP Thu Oct 22 13:56:54 BST 2020 armv7l GNU/Linux

I did wonder if my upgrades were working.

My /etc/apt/sources.list.d is empty - as intalled.
I have never seen a debian install not have a sources.list before - a few dozen installations over 10 years, including many VBox sessions

Thanks. I also installed about a week ago, with same uname output, but my experience differed from yours;

  • file /etc/apt/sources.list contained
    deb buster main contrib non-free rpi
  • file /etc/apt/sources.list.d/raspi contained
    deb buster main

Both files also contained commented lines. I’ve just loaded the image I used onto a USB hard drive and confirmed the second filesystem has these files to start with; they are not created on first boot, and don’t seem to be changed by first boot.

You’ve tried to repair sources.list but the package signatures can’t be checked. That implies further loss of files, such as the keyring.

Package raspbian-archive-keyring is a critical piece. It installs a file /usr/share/keyrings/raspbian-archive-keyring.gpg which has a sha256sum of 29c11309b6d3b2ec8dced7c999400055752d85b5c87a2ffcb09f84f05648c46b. You might check that.

My guess is your Pi 4 may have had a power failure during the first boot filesystem expansion step, leading to corrupt filesystem metadata and lost files. If it were on my lab bench, I’d set up a second Pi 4, then power down, extract each microSD card, image them, and look for filesystem-level differences with forensic tools or recursive binary diff. If I didn’t have a spare Pi 4, I’d use a second microSD card on the same Pi 4.

Hope that helps.

Thanks again

I just checked my downloaded file:wget -c said file is up to date. So am in the process of creating a new sdcard. I’ll check that for sources.list etc before I try it.

I’m trying to recall if I installed any software, but I can’t. mc file manager is running if that is any indication. It is one of the first apps I install on a new system, but it may have been standard?

Thanks again


No worries.

However, I advise against relying on wget -c, as it only checks the size of the file, not the contents. Use SHA-256 checksums to test the file, see Raspberry Pi OS Downloads for them. Though the symptoms you have presented are not likely to be due to corruption of your download, and more to do with corruption of the microSD card in a marginal power or forced shutdown event.

(The microSD card has a microcontroller onboard that manages flash leveling, and needs a certain amount of time to complete the job after the last command from the host computer. Some firmware on some microSD cards takes longer to do this, or reports success earlier than it should. It is a reason why some products are careful to specify the microSD card models that are supported by their manufacturer.)

Comparing the output of sudo dpkg-query -W between the two installed operating systems will tell you of any packages you installed. The file /var/log/dpkg.log is also a handy audit trail with dates.

Thanks again

The new sdcard directory /media/rootfs/etc/apt has 5 sub-dirs and 3 files, including a sources.list. My Pi4 had the 5 sub-dirs only. The new sdcard has 7 files within those sub-dirs = 10 files all up; my Pi had 1.

And the sudo dpkg-query -W shows another package I installed myself for sure - geany text editor.

So new card ready to try again.

I know I’m irreverent, but I almost never do SHA checks

Guess I’ll be doing a timeshift first up this time. It has saved my . . . many times. Just thought I’d be OK for a few days - WRONG.

Again THANKS for your help.