Looks like logging in over tor still works... About the _apt issue
The directory /etc/apt used to have a file called trusted.gpg, holding the signing keys. These keys now exist in separate files in /etc/apt/trusted.gpg.d.
On top of that a 'sandbox' user _apt has been introduced to access files during updating. Unfortunately, the old trusted.gpg file (which is owned by root and has permissions 0600) cannot be accessed by this user.
A temporary/quick fix for this is to set the permissions on that file to 0644. However, this doesn't seem to stick. I know for a fact that it was changed on my laptop, but now it's back to 0600.
The real fix is to get rid of that file altogether. Stretch's apt doesn't need it anymore (even jessie could do without it, in my experience). Before you delete the thing, check which keys it holds with sudo apt-key list
(look at the top line of every entry). For every key that doesn't also appear in one of the files in /etc/apt/trusted.gpg.d, create an export file with apt-key export
and put that file in /etc/apt/trusted.gpg.d (make sure it has an .asc extension). Then you can safely delete trusted.gpg.
Or you can just delete it anyway, check the output of apt update
for missing keys, get those keys (in separate files) from a keyserver and put them in /etc/apt/trusted.gpg.d. Actually, this may be the better choice, because it helps get rid of obsolete keys you may have had in trusted.gpg.
There are two additional issues to note:
1. You must never again import keys with apt-key add
or apt-key adv
, as these functions only know how to import keys into trusted.gpg.
2. Until it is fixed, you must not use software-properties-gtk, either directly or from synaptic (by selecting the second item in the fourth menu - don't know what it's called in English, 'package sources' or 'repositories', most likely).
The second one is particularly nasty, as it creates a totally broken trusted.gpg file which causes errors whether it's accessible or not (https://bugs.debian.org/867681
The NO PUBKEY problem is related. Those are google's keys, inside trusted.gpg, where they can't be accessed anymore. Export them as mentioned above (you can put both of them in the same file).