If you’re using the native desktop Spotify client on Debian or Ubuntu, you may have noticed that they don’t seem to have figured out how to rotate their apt signing keys automatically. This means that apt updates will periodically fail with the following message:
GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF1234567890 The repository 'http://repository.spotify.com stable InRelease' is not signed.
Spotify’s instructions on how to set up apt seem to be buried in search engine results under a massive number of community forum posts complaining that the key has expired. Therefore this is a quick summary of how to fix it, in line with current best practice (specifically, not using the deprecated apt-key command, which is mentioned in many search results related to updating apt signing keys).
curl -sS https://download.spotify.com/debian/pubkey_ABCDEF1234567890.gpg | sudo gpg --no-default-keyring --dearmor > /etc/apt/keyrings/spotify.gpgYou’ll need to substitute ABCDEF1234567890 with the actual key referenced in the error message. In order for this command to work exactly as written, you will also need to have included the signed-by option in your apt config for Spotify.
From Ubuntu 24.04 and Debian 13 (Trixie) onwards, you should create the file /etc/apt/sources.list.d/spotify.sources with the following contents:
Types: deb
URIs: http://repository.spotify.com
Suites: stable
Components: non-free
Signed-By: /etc/apt/keyrings/spotify.listThis is in the newer deb822 format for apt sources. Spotify hasn't caught up to the new format, so you should also edit /etc/apt/sources.list.d/spotify.list that they supply, and comment out all of the entries by putting a # at the beginning of each line. (If you don’t, then apt will warn you about duplicate sources every time you update. Deleting the old .list file won't work because it gets recreated every time there is an update to the Spotify client. And just sticking with the old .list format means that every time you upgrade Ubuntu/Debian, you will get prompted to migrate it to the new format.)
If you’re on an older version of Debian or Ubuntu then you should use /etc/apt/sources.list.d/spotify.list with the following contents:
deb [signed-by=/etc/apt/keyrings/spotify.list] http://repository.spotify.com stable non-freeAlternatively, you can just store the key in /etc/apt/trusted.gpg.d/spotify.list, but be aware that this will make it valid for signing all packages (which is the security issue that the deprecation of apt-key was supposed to fix).