[NitroPad][Qubes] Gpg: no default secret key: no public key

Hey there,

I am trying for days now to install Qubes… without success. I’m using the official Nitrokey image provided on GitHub.

What I do:

  1. Boot the ISO with a USB stick: works fine
  2. The installer appears and works unattended: works fine
  3. After the installer configured everything the Qubes symbol is shown together with a progress bar: works fine
  4. But then, when the progress bar reaches about one third, the computer shuts down without rebooting, without logs, without one single piece of information
  5. Afterwards I power on the computer again an choose “Default Boot”
  6. “Missing Hash File” message appears, I enter
  7. “Update checksums and sign all files in /boot” message appears, I enter
  8. Confirming that the Nitrokey is connected
  9. /boot/kexec_rollback does not exist: creating new TPM counter appears, I enter the TPM Owner password
  10. Then it says:
gpg: no default secret key: No public key
gpg: signing failed: No public key
/boot: Unable to sign kexec hashes
Failed to sign default config: press Enter to continue 

So it looks for me that one part of the key is missing. But I don’t know how to import it, especially because there is no part in the installation where I am able to insert something.

Thanks in advance!

Hi @yeehaw!

The image you are probably using is OEM installation image, meant for automatic OS install for the vendor (this one I guess). I believe this why you do not see any friendly messages.
Please compare your steps with this guide:

It says to run the signing, which I think you are doing already. The actual problem that the error message refers to, is that public key is lacking from the BIOS memory. What would be required to do is to either find the missing public key or to generate the new key pair, with private part stored on the Nitrokey device (Nitrokey Pro/Storage), and the public key stored on a regular USB flash drive. Then importing and signing the public key to BIOS (available in the menu) should allow later to sign the system files.

I will look into it in next 24 hours and provide a guide. Alternatively, we are working on a new BIOS release (planned to be available this week), which should solve some of the issues.

PS By BIOS here I mean the NitroPad’s starting firmware, which replaced the old BIOS.


We have just released new Heads firmware (previously named “BIOS”) for the NitroPads. Please follow the guide below to update to the latest one:

This should fix your current problems. Otherwise please let me know.