Debian Unstable Public Key Not Available

Followed instructions for enabling testing repositories here. Both the main and testing repos fetched just fine. Unstable won’t because the public key isn’t available.

user@debian-11-TESTING:~$ sudo apt update
Hit:1 https://deb.debian.org/debian bullseye InRelease
Hit:2 https://deb.debian.org/debian-security bullseye-security InRelease
Get:3 https://deb.qubes-os.org/r4.1/vm bullseye-unstable InRelease [2,501 B]
Err:3 https://deb.qubes-os.org/r4.1/vm bullseye-unstable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7AF9C6537BB6DE87
Reading package lists... Done
W: GPG error: https://deb.qubes-os.org/r4.1/vm bullseye-unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7AF9C6537BB6DE87
E: The repository 'https://deb.qubes-os.org/r4.1/vm bullseye-unstable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I tried retrieving the key, but it required network access to do so.

user@debian-11-TESTING:~$ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7AF9C6537BB6DE87
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.MaWpGDVhta/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 7AF9C6537BB6DE87
gpg: keyserver receive failed: Network is unreachable

Even with temporary network access though, it still doesn’t work.

user@debian-11-TESTING:~$ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7AF9C6537BB6DE87
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.xr4eHFl6T6/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 7AF9C6537BB6DE87
gpg: keyserver receive failed: No data

Maybe I’m supposed to be using gpg? I tried following some solutions using it, but to no avail. I notice that the instructions only have you enable lines in the qubes-r4.list file, but not add any in the sources.list file, so I suppose I’ll try that next.

Did you find a fix? Having the same problem.

You have this key as RPM-GPG-KEY-qubes-4.1-unstable in dom0 under
/etc/pki/rpm-gpg

use qvm-copy-to-vm to get it in to the template and then install it
in /etc/apt/trusted.gpg.d as usual.
You’ll need to dearmor the key with gpg --dearmor before it is usable
by apt.

I have exactly the same problem but after floowing your advice, it does not work. My key ID for the missing pub key is 43B760F197CA1BF5

You do not have the same problem at all - the advice given related to
NO_PUBKEY 7AF9C6537BB6DE87 - that’s a different key.

Every PGP key has a fingerprint which is unique. For convenience you
can use an ID, (either long or short), which is derived from the
fingerprint.

You have this key in any Debian based qube - use qvm-copy to get it :
qvm-copy /apt/trusted.gpg.d/qubes-archive-keyring.gpg
Then, in your debian-12 move the key from QubesIncoming to /apt/trusted.gpg.d/

This key is also available from any keyserver, and from the Qubes
keyserver at Index of /keys/
The Qubes OS 4 Debian Packages Signing Key, has fingerprint:
A55DC100FFD712ADB92B5B1043B760F197CA1BF5
Long ID - 43B760F197CA1BF5
Short ID 97CA1BF5

You’ll see that the IDs are just the final 16/8 characters from the
fingerprint.
The Short form is included for completeness - you should not use it.