I think I found out in the mean time. The answer is, that the keys must be copied with the closed repository to the offline site. Otherwise apt-get update will not access the files and throw errors.

The keys do not have to be stored with the offline repository, though. They may be stored anywhere, e.g. a central file server, NAS etc. The keys must be copied to every offline computer that wants to install from the offline archive. For example, the keys are stored in a local samba share smb://PPA-Keys that was mounted to /mnt/test on a new computer. This would copy the keys to the required location

sudo cp /mnt/test/*.gpg /etc/apt/trusted.d/

The main issue is, however, to get the keys in the first place. By adding the repository with add-apt-repository the process is easy. The key should be placed in the folder /etc/apt/trusted.gpg.d/ so just collect it there.


 sudo add-apt-repository ppa:libreoffice/ppa
 cp /etc/apt/trusted.gpg.d/libreoffice_ubuntu_ppa.gpg /mnt/test/libreoffice.gpg

If there is no key at that location it had been added to the general keychain in trusted.gpg. Instead of extracting it from there it is easier to download the key from the PPA site manually. The download is only a textfile (*.key or *.asc), so we need to convert it to a binary gpg key. The example assumes that the text key is in the file libreoffice.asc


 cat libreoffice.asc | gpg -deamor > libreoffice.gpg

The keys for the Ubuntu repository are in the /etc/apt/trused.gpg file. If they are lost or broken, just copy that file from another machine or a fresh installation.