https://github.com/canonical/snapcraft/blob/df4ec6775a28d4a345c93d9f83a1193c0abc1c9d/snapcraft_legacy/internal/repo/apt_key_manager.py#L148-L149 I think there are some circumstances where networks may fail to fetch a key unless `hkps://` is specified instead of the (presumed, usually working) `https://`. There's at least one observed instance where specifying the keyserver as `hkps://keyserver.ubuntu.com` instead of just `keyserver.ubuntu.com` resulted in a successful key fetch instead of the error being hit previously (something about "unable to fetch GPG key"). While technically hkps is served over port 443 like https, it's possible that some networking setups may not like this. This is largely speculation on my part, but from what I've seen it appears to be good practice to specify hkps. This may also impact craft-archives here https://github.com/canonical/craft-archives/blob/92c37a25d8efa7136223222d30043bf3e8d3fd12/craft_archives/repo/apt_key_manager.py#L301 I'm uncertain if this is better off as a code-change or a documentation update. It's probably easier in the documentation to explain that if a GPG key fetch error happens, specifying `key-server: hkps://keyserver.ubuntu.com` or the like may resolve the issue - @medubelko this kind of hits on https://github.com/canonical/craft-archives/issues/190, although some things may be hard-coded...