If you’re using the native desktop Spotify client on Debian or Ubuntu, you may have noticed that they don’t seem to have figured out how to rotate their apt signing keys automatically. This means that apt updates will periodically fail with the following message:
GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF1234567890 The repository 'http://repository.spotify.com stable InRelease' is not signed.
Spotify’s instructions on how to set up apt seem to be buried in search engine results under a massive number of community forum posts complaining that the key has expired. Therefore this is a quick summary of how to fix it, in line with current best practice (specifically, not using the deprecated apt-key
command, which is mentioned in many search results related to updating apt signing keys).
curl -sS https://download.spotify.com/debian/pubkey_ABCDEF1234567890.gpg | sudo gpg --no-default-keyring --dearmor > /etc/apt/keyrings/spotify.gpg
You’ll need to substitute ABCDEF1234567890
with the actual key referenced in the error message. In order for this command to work exactly as written, you will also need to have included the signed-by
option in your apt config for Spotify.
From Ubuntu 24.04 and Debian 13 (Trixie) onwards, you should create the file /etc/apt/sources.list.d/spotify.sources
with the following contents:
Types: deb
URIs: http://repository.spotify.com
Suites: stable
Components: non-free
Signed-By: /etc/apt/keyrings/spotify.list
This is in the newer deb822 format for apt sources. Spotify hasn't caught up to the new format, so you should also edit /etc/apt/sources.list.d/spotify.list
that they supply, and comment out all of the entries by putting a #
at the beginning of each line. (If you don’t, then apt will warn you about duplicate sources every time you update. Deleting the old .list file won't work because it gets recreated every time there is an update to the Spotify client. And just sticking with the old .list format means that every time you upgrade Ubuntu/Debian, you will get prompted to migrate it to the new format.)
If you’re on an older version of Debian or Ubuntu then you should use /etc/apt/sources.list.d/spotify.list
with the following contents:
deb [signed-by=/etc/apt/keyrings/spotify.list] http://repository.spotify.com stable non-free
Alternatively, you can just store the key in /etc/apt/trusted.gpg.d/spotify.list
, but be aware that this will make it valid for signing all packages (which is the security issue that the deprecation of apt-key
was supposed to fix).