ASA Update Fails with a NO_PUBKEY Error on a CIS Hardened Ubuntu Server
Aug 29, 2025
Advanced Server Access
Overview
The apt-get update command is failing with the following error after using the instructions to install or update the ASA agent:
Err:4 https://dist.scaleft.com/repos/deb focal InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 19837E37B8966AE8
Hit:9 https://packages.microsoft.com/ubuntu/20.04/prod focal InRelease
Reading package lists... Done
W: GPG error: https://dist.scaleft.com/repos/deb focal InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 19837E37B8966AE8
E: The repository 'https://dist.scaleft.com/repos/deb focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.Applies To
- Okta Advanced Server Access (ASA)
- Ubuntu
- CIS Benchmark
Cause
The downloaded gpg key file has read permission only for the root user due to the umask 0027 set by the CIS benchmark.
Solution
- Check the permissions of the gpg file.
sudo ls -l /usr/share/keyrings/oktapam-2023-archive-keyring.gpg
- Add read permission for all users if it is missing.
sudo chmod a+r /usr/share/keyrings/oktapam-2023-archive-keyring.gpg
- Run the update again.
sudo apt-get update
