APT Repository Issues and Fixes

Fix broken APT repositories, expired keys, and conflicting PPA problems on Ubuntu 24.04-based systems.

Intermediate Verified Working Updated 7 min read Tested on Linux Mint 22.3 Cinnamon (Ubuntu 24.04 Noble base); also tested on Zorin OS 18.1 Pro Hardware Lenovo ThinkPad L14 Gen 2 (Intel i5-1135G7, 16GB RAM, Intel Iris Xe, 1366x768)

What This Guide Achieves

GoalStatus
Fix duplicate repository warningsDone
Resolve GPG key errorsDone
Clean up old .list files (legacy format)Done
Understand .list vs .sources file formatsDone
Safely remove PPAsDone

The Problem (Windows User Perspective)

On Windows, software updates come from one place (Windows Update or the app itself). On Linux, software comes from repositories — external servers that apt checks for packages. When you install Chrome, Edge, Brave, or add PPAs, each one adds its own repository configuration. Over time, these can conflict, duplicate, or break — especially when repository formats changed from .list (old) to .sources (new) in Ubuntu 24.04.

Understanding the Two File Formats

Ubuntu 24.04 introduced a new repository format. Both formats work, but having both for the same repo causes problems.

Old Format: .list files

Location: /etc/apt/sources.list.d/*.list

deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main

New Format: .sources files (DEB822)

Location: /etc/apt/sources.list.d/*.sources

Types: deb
URIs: https://dl.google.com/linux/chrome/deb/
Suites: stable
Components: main
Architectures: amd64
Signed-By: /usr/share/keyrings/google-chrome.gpg

Key insight: When you install Chrome or Edge via .deb, the installer may create a .sources file. If you previously had a .list file from an older install or manual setup, you now have both — and apt update complains about duplicates.

Diagnosing Issues

Check for Duplicates

# List all repository config files
ls /etc/apt/sources.list.d/

# Look for pairs of .list and .sources for the same app
ls /etc/apt/sources.list.d/ | grep google
# Example problematic output:
# google-chrome.list
# google-chrome.sources

Check for Errors

sudo apt update 2>&1 | grep -E "W:|E:|Err:"

Common error patterns:

  • W: Target ... is configured multiple times — duplicate repos
  • W: ...doesn't support architecture 'i386' — missing arch restriction
  • Err: ... NO_PUBKEY ... — missing GPG signing key

Fix: Duplicate Repository Entries

Chrome (Most Common)

# Check what exists
ls /etc/apt/sources.list.d/ | grep google

# If BOTH google-chrome.list AND google-chrome.sources exist:
sudo rm /etc/apt/sources.list.d/google-chrome.list

# Verify
sudo apt update

Edge

ls /etc/apt/sources.list.d/ | grep microsoft-edge

# If both formats exist:
sudo rm /etc/apt/sources.list.d/microsoft-edge.list

sudo apt update

Brave

ls /etc/apt/sources.list.d/ | grep brave

# If both formats exist:
sudo rm /etc/apt/sources.list.d/brave-browser-release.list

sudo apt update

ONLYOFFICE (Same-File Duplicate)

A different kind of duplicate: both entries in the same .list file. This happens if the echo ... | sudo tee -a command was run twice during ONLYOFFICE setup (-a appends rather than overwrites).

W: Target Packages (main/binary-amd64/Packages) is configured multiple times
in /etc/apt/sources.list.d/onlyoffice.list:1 and /etc/apt/sources.list.d/onlyoffice.list:2

Fix by overwriting the file with a single correct entry (use tee without -a):

echo 'deb [signed-by=/usr/share/keyrings/onlyoffice.gpg] https://download.onlyoffice.com/repo/debian squeeze main' | sudo tee /etc/apt/sources.list.d/onlyoffice.list
sudo apt update

General Rule

When both .list and .sources exist for the same app:

  1. Keep the .sources file (new format)
  2. Remove the .list file (old format)
  3. Run sudo apt update to verify

Fix: SSL Certificate Errors for Third-Party Repositories

Err: https://apt.packages.shiftkey.dev/ubuntu any InRelease
  Certificate verification failed: The certificate is NOT trusted.
  The name in the certificate does not match the expected. [IP: x.x.x.x 443]

W: Failed to fetch https://apt.packages.shiftkey.dev/ubuntu/dists/any/InRelease
  Certificate verification failed

What this means: The SSL certificate on the third-party server is expired or misconfigured. This is a problem on the developer’s server, not your system. Your system is correctly blocking an unverified connection.

What to do:

  • apt will skip updating that specific repository and use the previously cached package list instead. Installed packages from that repo will not be updated until the developer fixes their certificate.
  • This is not a security breach — it means no update happened, not that something malicious occurred.
  • Check whether the developer has acknowledged the issue (GitHub issues page, etc.).

If you want to suppress the error temporarily while waiting for the developer to fix it:

# Disable the repository (rename its .list file so apt ignores it)
sudo mv /etc/apt/sources.list.d/shiftkey-packages.list /etc/apt/sources.list.d/shiftkey-packages.list.disabled

# Re-enable when the developer fixes the certificate
sudo mv /etc/apt/sources.list.d/shiftkey-packages.list.disabled /etc/apt/sources.list.d/shiftkey-packages.list

Do not use --allow-insecure-repositories or --no-check-certificate to bypass SSL errors. This would expose your system to potential package tampering.

Permanent Fix: GitHub Desktop (shiftkey.dev → mirror.mwt.me)

The GitHub Desktop community fork migrated from apt.packages.shiftkey.dev to mirror.mwt.me. The old domain’s SSL certificate is broken and will not be fixed. You must remove the old repo and add the new mirror:

# Remove the broken repository and its old GPG key
sudo rm /etc/apt/sources.list.d/shiftkey-packages.list
sudo rm /usr/share/keyrings/shiftkey-packages.gpg

# Add the new mirror
sudo mkdir -p /etc/apt/keyrings
wget -qO - https://mirror.mwt.me/shiftkey-desktop/gpgkey | gpg --dearmor | sudo tee /etc/apt/keyrings/mwt-desktop.gpg > /dev/null
sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/mwt-desktop.gpg] https://mirror.mwt.me/shiftkey-desktop/deb/ any main" > /etc/apt/sources.list.d/mwt-desktop.list'

# Verify
sudo apt update && sudo apt install github-desktop

Fix: Architecture Warnings (i386)

N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository '...' doesn't support architecture 'i386'

This means a 64-bit-only repository is configured without specifying arch=amd64.

For .list files:

# Edit the file
sudo nano /etc/apt/sources.list.d/google-chrome.list

# Change:
deb https://dl.google.com/linux/chrome/deb/ stable main
# To:
deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main

For .sources files:

sudo nano /etc/apt/sources.list.d/google-chrome.sources

# Add this line if missing:
Architectures: amd64

Fix: GPG Key Errors

Missing Key (NO_PUBKEY)

W: GPG error: https://dl.google.com/linux/chrome/deb stable InRelease:
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABCDEF1234567890

Fix — import the key:

# For Chrome
curl -fsSL https://dl.google.com/linux/linux_signing_key.pub | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg

# For Edge
curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | sudo gpg --dearmor -o /usr/share/keyrings/microsoft-edge.gpg

# For Brave
curl -fsSL https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg | sudo tee /usr/share/keyrings/brave-browser-archive-keyring.gpg > /dev/null

Deprecated apt-key Warning

W: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg)

This means a key was added with the old apt-key add method. Modern Ubuntu uses per-repo keyring files in /usr/share/keyrings/.

Fix — migrate to new format:

# Export the key from legacy keyring
sudo apt-key export KEYID 2>/dev/null | sudo gpg --dearmor -o /usr/share/keyrings/repo-name.gpg

# Update the .sources or .list file to reference the new keyring:
# signed-by=/usr/share/keyrings/repo-name.gpg

Safely Removing PPAs

# List installed PPAs
grep -r "ppa" /etc/apt/sources.list.d/

# Remove a PPA and its source file
sudo add-apt-repository --remove ppa:owner/repo-name

# Clean up afterward
sudo apt update

Full PPA Removal Example (Papirus icons)

sudo apt remove --purge papirus-icon-theme papirus-folders
sudo add-apt-repository --remove ppa:papirus/papirus
sudo apt autoremove
sudo apt update

Full PPA Removal Example (FSearch)

sudo apt remove --purge fsearch
sudo add-apt-repository --remove ppa:christian-boxdoerfer/fsearch-daily
sudo apt autoremove --purge
sudo apt update

Clean State Verification

After fixing repository issues, verify everything is clean:

# Check for errors
sudo apt update 2>&1 | grep -E "W:|E:|Err:"

# List all configured repos
ls /etc/apt/sources.list.d/

# Check for duplicate entries
apt-cache policy | grep -E "http" | sort | uniq -d

# Check for orphaned keys
ls /usr/share/keyrings/

What Didn’t Work (and Why)

Approach TriedWhy It Failed
Having both .list and .sources for ChromeCauses “Target is configured multiple times” duplicate warning
Using apt-key add to import GPG keysDeprecated in Ubuntu 24.04 — use /usr/share/keyrings/ instead
Not specifying [arch=amd64] in repo entryTriggers i386 architecture warning on every apt update
Removing a PPA without removing its packages firstPackages remain installed but won’t get updates
Ignoring apt update warningsWarnings accumulate and can eventually become errors
Edit this page on GitHub

Discussion