If you’re using the native desktop Spotify client on Debian or Ubuntu, you may have noticed that they don’t seem to have figured out how to rotate their apt signing keys automatically. This means that apt updates will periodically fail with the following message:
GPG error: http://repository.spotify.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF1234567890 The repository 'http://repository.spotify.com stable InRelease' is not signed.
Spotify’s instructions on how to set up apt seem to be buried in search engine results under a massive number of community forum posts complaining that the key has expired. Therefore this is a quick summary of how to fix it, in line with current best practice (specifically, not using the deprecated apt-key command, which is mentioned in many search results related to updating apt signing keys).
curl -sS https://download.spotify.com/debian/pubkey_ABCDEF1234567890.gpg | sudo gpg --no-default-keyring --dearmor > /etc/apt/keyrings/spotify.gpgYou’ll need to substitute ABCDEF1234567890 with the actual key referenced in the error message. In order for this command to work exactly as written, you will also need to have included the signed-by option in your apt config for Spotify. Usually this means you’ll have a file /etc/apt/sources.list.d/spotify.list with the following contents:
deb [signed-by=/etc/apt/keyrings/spotify.list] http://repository.spotify.com stable non-freeAlternatively, you can just store the key in /etc/apt/trusted.gpg.d/spotify.list, but be aware that this will make it valid for signing all packages (which is the security issue that the deprecation of apt-key was supposed to fix).