Google Earth .deb installer PGP keys needing updating

Created by Steven Baltakatei Sandoval on 2020-01-30T17:17Z under a CC BY-SA 4.0 license and last updated on 2020-01-30T18:21Z.


As of 2020-01-30, I think the PGP keys within the Google Earth .deb installer for GNU/Linux need updating. Updating keys via wget / apt-key add command at fixes problem.

The Problem

Today (2020-01-30), I noticed that Google Earth is unable to update on my Debian 10 machine even after running the latest installer from .

$ sudo apt-get update
Ign:1 stable InRelease
Hit:2 buster InRelease
Hit:3 buster-updates InRelease
Get:4 stable Release [933 B]
Get:5 stable Release.gpg [819 B]
Hit:7 buster/updates InRelease
Err:5 stable Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
Fetched 819 B in 1s (1,123 B/s)
Reading package lists...


I see that rsa4096/0x78BD65473CB3BD13 is a signing subkey of primary key rsa4096/0x7721F63BD38B4796 which can be obtained by following instructions at the Google Linux Package Signing Keys page. However, I cannot find this signing subkey within the Google Earth .deb installer (SHA256 hash: 57b6c970609dc2960e9255b08a7ddf3af2581cb7c06ff92d16820269d0b2530d ).

The Fix


Side notes

Feel free to skip this section. These are some bash commands and information that I found useful while troubleshooting but aren't required to understand the problem or solution.

  1. Import PGP keys into gpg from clipboard to a temporary keyring

    $ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg --import

    This command, if run in bash, won't finish until you supply a linebreak ("Return") immediately followed by an End-of-Transmission (EOT) character. The EOT character can be entered by pressing the Ctrl and D characters at the same time. Before you enter the EOT character, an ascii-armored PGP key may be pasted (ex: via xclip or whatever "copy & paste" functionality your windowing system uses). This feeds gpg the PGP key for importing into the temporary keyring located at /tmp/testkeyring.gpg.

  2. Get specific key details within a specified keyring

    $ gpg --no-default-keyring --keyring /tmp/testkeyring.gpg -k Google

    The -k option (an abbreviation for --list-public-keys) causes gpg to list all public keys in the specified keyring. The Google string at the end causes gpg to only list public keys that contain "Google" in their UIDs. "Google" could also be replaced by the long or short ID of a key (ex: 0x7721F63BD38B4796).

  3. Search plaintext of all files within a directory (including subdirectories).

    $ grep -ri "PGP PUBLIC KEY BLOCK" ~/Downloads/google-earth-pro-stable_current_amd64

    This command uses grep to search for the text string PGP PUBLIC KEY BLOCK within any text file within a directory tree starting at ~/Downloads/google-earth-pro-stable_current_amd64. This was how I found the PGP keys stored within the postinst, postrm, and google-earth-pro files.

  4. See what public keys are present within the /etc/apt/trusted.gpg keyring:

    $ gpg --no-default-keyring --keyring /etc/apt/trusted.gpg -k

    This command may be useful for troubleshooting issues that apt may be having if it cannot locate a specific public key for verifying newly downloaded packages. The man page for apt-key indicates that keyrings should be added to individual keyring files located within /etc/apt/trusted.gpg.d, especially since apt-key add is deprecated. Google Earth violates the Debian recommendation to store third-party pgp keys within /usr/share/keyrings.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.