🔐 How to add and remove GPG key on Ubuntu

Today we’re going to show you how to list and remove added GPG keys from an Ubuntu system.

What is a GPG key?

The GPG key (which stands for Gnu Privacy Guard, aka GnuPG) is free software that provides cryptographic protection of sensitive data and authentication.

It allows users to communicate securely using public key cryptography.

How does a GPG key work in a repository?

All packages are signed with an accompanying private / public key pair.

The user’s private key is kept secret and the public key can be shared with anyone the user wants to communicate with.

Each time you add a new repository to your system, you must also add the repository key so that the APT Package Manager trusts the newly added repository.

Once you’ve added the repository keys, you can ensure that you are getting the packages from a trusted source.

How do I list the keys of a repository?

apt-key is used to manage the list of keys used by apt to authenticate packages.

Trusted keys are stored in the following locations:

  • /etc/apt/trusted.gpg – a bunch of local trusted keys, new keys will be added here.
  • /etc/apt/trusted.gpg.d/ – File fragments for trusted keys, additional keychains can be stored in this location.

Use the following command to list the trusted keys with figprints:

$ sudo apt-key list

pub   rsa4096 2017-12-15 [SCEA]
      0A0F AB86 0D48 5603 32EF B581 B754 42BB DE9E 3B09
uid           [ unknown] https://packagecloud.io/AtomEditor/atom (https://packagecloud.io/docs#gpg_signing) [email protected]
sub   rsa4096 2017-12-15 [SEA]

pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) [email protected]
sub   rsa4096 2016-04-22 [E]

pub   dsa1024 2007-03-08 [SC]
      4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid           [ unknown] Google, Inc. Linux Package Signing Key [email protected]
sub   elg2048 2007-03-08 [E]

pub   rsa4096 2016-04-12 [SC]
      EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid           [ unknown] Google Inc. (Linux Packages Signing Authority) [email protected]
sub   rsa4096 2019-07-22 [S] [expires: 2022-07-21]

pub   rsa1024 2013-08-13 [SC]
      43E0 7612 1739 DEE5 FB96 BBED 52B7 0972 0F16 4EEB
uid           [ unknown] Launchpad PPA for Numix Maintainers

pub   rsa1024 2012-06-27 [SC]
      D320 D0C3 0B02 E64C 5B2B B274 3766 2239 8999 3A70
uid           [ unknown] Launchpad PPA for Sam Hewitt

pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) [email protected]

pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) [email protected]

pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) [email protected]

How do I delete repository keys?

You can delete the repository key if it is no longer needed or the repository has already been removed from the system.

It can be removed by entering the fully quoted key as shown below (which has a hexadecimal value of 40 characters).

$ sudo apt-key del "D320 D0C3 0B02 E64C 5B2B B274 3766 2239 8999 3A70"

Alternatively, you can remove the key by entering only the last 8 characters.

$ sudo apt-key del 89993A70

After removing the repository key, run the apt command to update the repository index.

$ sudo apt update

You can verify that the above GPG key has been removed by running the following command.

$ sudo apt-key list