Debian keeps proprietary drivers, firmware, and some dependency wrappers outside the default main archive component, so APT can report packages such as nvidia-driver, firmware-iwlwifi, intel-microcode, or unrar as unavailable until the right components are enabled. To enable contrib and non-free repositories on Debian, update the Debian source entries for your release, then refresh APT so it can see those package indexes.
Debian 13 (trixie) and Debian 12 (bookworm) use main contrib non-free non-free-firmware when you want the full component set from Debian’s own mirrors. Some Debian 12 and 13 installs may already include non-free-firmware, but contrib and non-free still need to be present for packages such as NVIDIA drivers, Steam dependencies, and unrar. Debian 11 (bullseye) uses main contrib non-free because non-free-firmware was introduced in Debian 12.
Enable Contrib and Non-Free Repos on Debian
The DEB822 workflow replaces the Debian source definition with a current /etc/apt/sources.list.d/debian.sources file. Use the block that matches your Debian release, then disable duplicate Debian lines in the legacy /etc/apt/sources.list file if that file still contains active Debian mirror entries. Systems that deliberately keep the older one-line format can use the legacy sources.list workflow instead.
Check Your Debian Release
Confirm the release codename before copying a source block:
grep '^VERSION_CODENAME=' /etc/os-releaseExpected output shows one of the supported codenames:
VERSION_CODENAME=trixie
Use the Debian 13 block for trixie, the Debian 12 block for bookworm, or the Debian 11 block for bullseye.
Prepare APT for HTTPS Sources
These source definitions use Debian’s HTTPS mirrors. Refresh your current package lists, then make sure ca-certificates is installed before switching the source file:
sudo apt update
sudo apt install ca-certificatesIf your current account cannot use
sudo, set that up first with the add a user to sudoers on Debian guide.
Back Up Existing Debian Source Files
Create backups of any existing Debian source files before replacing them:
if [ -f /etc/apt/sources.list.d/debian.sources ]; then
sudo cp -a /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian.sources.bak
fi
if [ -f /etc/apt/sources.list ]; then
sudo cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
fiThe backup commands print no output when a source file is missing. That is normal on systems that only use one source format.
Write Debian 13 Trixie Sources
Debian 13 (trixie) uses main, contrib, non-free, and non-free-firmware for the stable, updates, and security suites:
sudo tee /etc/apt/sources.list.d/debian.sources > /dev/null <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: trixie trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFWrite Debian 12 Bookworm Sources
Debian 12 (bookworm) uses the same component list as Debian 13:
sudo tee /etc/apt/sources.list.d/debian.sources > /dev/null <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFWrite Debian 11 Bullseye Sources
Debian 11 (bullseye) uses main, contrib, and non-free. Do not add non-free-firmware to Bullseye because that component does not exist on Debian 11:
sudo tee /etc/apt/sources.list.d/debian.sources > /dev/null <<'EOF'
Types: deb
URIs: https://deb.debian.org/debian
Suites: bullseye bullseye-updates
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bullseye-security
Components: main contrib non-free
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOFDisable Duplicate Legacy Debian Entries
Check whether the old one-line source file still has active Debian mirror entries:
grep -nE 'deb([[:space:]]+\[[^]]+\])?[[:space:]]+https?://(deb.debian.org|security.debian.org)' /etc/apt/sources.list 2>/dev/nullIf the command prints active Debian lines, open the file and add # at the start of those Debian mirror lines only:
sudo nano /etc/apt/sources.listLeave third-party entries such as Docker, Google, Microsoft, or application vendor repositories unchanged. The duplicate-source problem comes from defining the same Debian mirror suites in both
sources.listanddebian.sources.
Refresh APT After Enabling Components
Refresh the package index so APT reads the new component list:
sudo apt updateA successful refresh should complete without duplicate-source, missing-component, or signature warnings.
Verify Debian Non-Free Repos Are Enabled
After sudo apt update finishes, confirm the active source format and package candidates. These checks give you stable proof without relying on volatile apt update mirror ordering.
Check DEB822 Components Lines
Print the active component list from the DEB822 file:
grep '^Components:' /etc/apt/sources.list.d/debian.sourcesDebian 13 and 12 should show:
Components: main contrib non-free non-free-firmware Components: main contrib non-free non-free-firmware
Debian 11 should show:
Components: main contrib non-free Components: main contrib non-free
If you chose the legacy sources.list format instead, inspect the active Debian lines there:
grep -nE '^deb([[:space:]]+\[[^]]+\])?[[:space:]]+https?://(deb.debian.org|security.debian.org)' /etc/apt/sources.listConfirm a Non-Free Package Candidate
Check a package that lives in non-free, such as the NVIDIA driver metapackage:
apt-cache policy nvidia-driverRelevant Debian 13 output includes a candidate from the trixie/non-free component:
nvidia-driver:
Installed: (none)
Candidate: 550.163.01-2
Version table:
550.163.01-2 500
500 https://deb.debian.org/debian trixie/non-free amd64 Packages
Version numbers differ by release. Debian 12 currently returns the driver from bookworm/non-free, and Debian 11 returns it from bullseye/non-free.
Confirm Non-Free Firmware on Debian 12 or 13
On Debian 12 or 13, check a firmware package to confirm non-free-firmware is visible:
apt-cache policy firmware-iwlwifiRelevant Debian 13 output includes the trixie/non-free-firmware source line:
firmware-iwlwifi:
Installed: (none)
Candidate: 20250410-2
Version table:
20250410-2 500
500 https://deb.debian.org/debian trixie/non-free-firmware amd64 Packages
On Debian 11, firmware-iwlwifi still comes from bullseye/non-free because Bullseye predates the split into non-free-firmware.
Use Legacy sources.list Format Instead
APT still supports the legacy /etc/apt/sources.list format. Use only one format for the same Debian suites: either keep the DEB822 debian.sources file from the primary workflow, or keep active Debian lines in sources.list. Mixing both creates duplicate repository warnings.
Open the legacy source file if you want to manage Debian components in that format:
sudo nano /etc/apt/sources.listDebian 13 sources.list Example
deb https://deb.debian.org/debian trixie main contrib non-free non-free-firmware
deb https://deb.debian.org/debian trixie-updates main contrib non-free non-free-firmware
deb https://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmwareDebian 12 sources.list Example
deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmwareDebian 11 sources.list Example
deb https://deb.debian.org/debian bullseye main contrib non-free
deb https://deb.debian.org/debian bullseye-updates main contrib non-free
deb https://security.debian.org/debian-security bullseye-security main contrib non-freeIf you keep this legacy format, disable the DEB822 file so APT does not read duplicate Debian suites:
if [ -f /etc/apt/sources.list.d/debian.sources ]; then
sudo mv /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian.sources.disabled
fiAfter editing /etc/apt/sources.list, run sudo apt update and repeat the package-candidate checks.
Understand Debian Archive Components
Debian separates packages by licensing and dependency rules. The Debian archive policy defines the official component boundaries, while the 2022 Debian vote on non-free firmware explains why firmware moved into its own component starting with Debian 12.
| Component | What It Contains | Common Reason to Enable It |
|---|---|---|
| main | DFSG-free software that does not depend on non-free packages. | Default Debian system packages, desktop tools, servers, libraries, and development tools. |
| contrib | DFSG-free software that depends on packages outside main to build or run. | Wrappers, helpers, and packages that need a non-free runtime or companion package, such as some virtualization workflows covered in install VirtualBox on Debian. |
| non-free | Software that does not meet the Debian Free Software Guidelines. | Proprietary drivers, restricted utilities, and packages such as install unrar on Debian. |
| non-free-firmware | Device firmware separated from broader non-free software in Debian 12 and newer. | WiFi firmware, GPU firmware, CPU microcode, and other hardware initialization packages. |
Enabling these components does not install proprietary software by itself. APT downloads metadata for the extra components, then installs packages only when you explicitly run an install command.
Enable Only the Components You Need
The DEB822 and legacy examples enable the common full set for each supported Debian release. If you only need firmware on Debian 12 or 13, you can use main non-free-firmware instead. If you need NVIDIA drivers, Steam dependencies, unrar, or packages that depend on non-free software, include contrib and non-free too.
Keep Backports Separate
The source definitions here do not enable trixie-backports or bookworm-backports. Backports is a separate suite for newer packages on stable releases, not a required part of enabling contrib, non-free, or non-free-firmware. Use the install backports and experimental repositories on Debian guide if you need that workflow.
Debian 11 (bullseye) LTS runs until August 31, 2026 for LTS-supported architectures, but Bullseye no longer has active backports and does not support the
non-free-firmwarecomponent. Keep Bullseye source entries limited tomain contrib non-free, or plan an upgrade from Debian 11 to Debian 12 if you need the newer component layout.
Troubleshoot Debian Non-Free Repository Issues
Most failures come from duplicate source entries, using a Debian 12 or 13 component list on Debian 11, missing HTTPS certificates, or an outdated archive keyring.
APT Reports Duplicate Repository Entries
Duplicate warnings mean the same Debian suite is active in more than one source file:
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:1 and /etc/apt/sources.list.d/debian.sources:1
Find the overlapping Debian entries:
grep -rnE 'deb([[:space:]]+\[[^]]+\])?[[:space:]]+https?://(deb.debian.org|security.debian.org)' /etc/apt/sources.list /etc/apt/sources.list.d/ 2>/dev/nullKeep either the DEB822 file or the legacy Debian lines, not both. After commenting out or removing the duplicate Debian entries, refresh APT:
sudo apt updateDebian 11 Reports Missing non-free-firmware
Debian 11 prints a component warning if non-free-firmware appears in a Bullseye source entry:
W: Skipping acquire of configured file 'non-free-firmware/binary-amd64/Packages' as repository 'https://deb.debian.org/debian bullseye InRelease' doesn't have the component 'non-free-firmware' (component misspelt in sources.list?)
Confirm the bad component is present:
grep -R "non-free-firmware" /etc/apt/sources.list /etc/apt/sources.list.d/ 2>/dev/nullEdit the affected source file, remove non-free-firmware from Bullseye entries, then run:
sudo apt updateAPT Cannot Find Firmware or Microcode Packages
If a firmware or microcode package is missing, APT may show a package-candidate error like this:
E: Package 'intel-microcode' has no installation candidate
The related message ensure you enable the 'non-free-firmware' component in the apt sources means APT cannot see the firmware index that contains packages such as intel-microcode, amd64-microcode, and firmware-iwlwifi. On Debian 12 or 13, confirm that each Debian source stanza includes non-free-firmware:
grep '^Components:' /etc/apt/sources.list.d/debian.sourcesIf non-free-firmware is missing on Debian 12 or 13, add it to each Debian Components: line and run sudo apt update. On Debian 11, use non-free instead because firmware packages remain in that component.
APT Fails with HTTPS 443 or Certificate Errors
HTTPS source entries require the ca-certificates package. Minimal or netinstall systems can fail with TLS or port 443 errors when that package is missing.
If your previous HTTP-based sources still work, install the certificate package first:
sudo apt install ca-certificatesThen rerun the update:
sudo apt updateAPT Fails with NO_PUBKEY
A NO_PUBKEY warning means APT cannot verify the Debian archive metadata with the local archive keyring. Check whether the keyring package is installed:
dpkg -l debian-archive-keyring | grep '^ii'If the package is missing or damaged, reinstall it from your working Debian sources:
sudo apt install --reinstall debian-archive-keyring
sudo apt updatesoftware-properties-common Is Not Needed
Debian does not need Ubuntu’s add-apt-repository workflow to enable official Debian archive components. You do not need software-properties-common for these DEB822 or legacy source edits.
Revert Debian Non-Free Repos to Main Only
To disable these components later, edit the source file you use and change each Debian component list back to main only.
For the DEB822 format, open the source file:
sudo nano /etc/apt/sources.list.d/debian.sourcesFor the legacy format, open sources.list instead:
sudo nano /etc/apt/sources.listFor Debian 12 or 13, change:
Components: main contrib non-free non-free-firmware
To:
Components: main
For Debian 11, change Components: main contrib non-free to Components: main.
If you use legacy sources.list lines, remove contrib, non-free, and non-free-firmware from the end of each active Debian line instead. Refresh APT after saving the file:
sudo apt updateDisabling these components prevents future installs and updates from
contrib,non-free, andnon-free-firmware. Already installed packages remain on the system, but critical firmware or driver packages may stop receiving updates after the components are removed.
Conclusion
APT can now see Debian’s contrib, non-free, and, on Debian 12 or 13, non-free-firmware components without duplicate source entries. That opens the path for hardware and desktop tasks such as install NVIDIA drivers on Debian or install Steam on Debian, while third-party source management belongs in the separate manage third-party repos with extrepo on Debian workflow.
After updating the debian.sources file, I’ve got 443 error responses when running
sudo apt-get update.Solution: before following the steps, install
ca-certificatespackage usingsudo apt-get install ca-certificatesreference: https://askubuntu.com/a/1145374
Thanks for flagging this, and you are absolutely correct. The guide should have accounted for minimal installs missing
ca-certificates. I have added a troubleshooting subsection and FAQ entry covering this exact scenario. Appreciate you bringing it up.Thank you very much for your comprehensive and intuitive guide. Everything to the point with useful examples. This was exactly what I needed. I had installed Debian with Ethernet only and your guide enabled me to add a WiFi connection, now that I cannot use Ethernet.
Anna
Good Evening!
With these command lines, I was able to enable and allow the installation of Steam, which I needed.
Thank you, Joshua James!
Djalma FC
Joshua,
In section
“Confirming the Presence of the Contrib and Non-Free Repositories”
it is written
grep -E “(contrib|non-free)” /etc/apt/sources.list /etc/apt/sources.list
but I think you meant to write
grep -E “(contrib|non-free)” /etc/apt/sources.list
Gérard
Thanks Gérard for pointing out the extra line out for me to fix.