apt-key is deprecated. How to play on Debian, Ubuntu, Linux Mint, Pop! Add the OpenPGP repository signing key without it on _OS etc.

This article describes how to safely add OpenPGP keys and third-party APT repositories on Debian, Ubuntu and Linux Mint-based Linux distributions (such as Linux Mint, Pop!_OS, Elementary OS, etc.) to replace the deprecated ones apt-key.

When you try to add APT repository key using apt-key On these-based Debian, Ubuntu and Linux distributions, you will see the following message: “Warning: apt-key is not recommended. Instead, manage the key ring file in trust.gpg.d (see apt-key (8))”.

of apt-key The man page mentions that “apt-key is deprecated, except for the use of apt-key del in the maintainer script to delete existing keys from the master keyring”. And, “apt-key will finally be available in Debian 11 and Ubuntu 22.04.”

The reason for this change is that when adding the OpenPGP key used to sign the APT repository, /etc/apt/trusted.gpg Either /etc/apt/trusted.gpg.d, The key will be unconditionally trusted by APT on all other repositories configured on the system, and these repositories have no signed-by (See below) options, even including official Debian/Ubuntu repositories.As a result, any unofficial APT repository that adds its signing key to /etc/apt/trusted.gpg Either /etc/apt/trusted.gpg.d Any software package on the system can be replaced. Therefore, this change was made for security reasons (your safety).

It is also worth noting apt-key The deprecation message is displayed as “Manage the key ring file in Trusted.gpg.d instead”, Debian Wiki Otherwise stated.That’s because the OpenPGP key is added to /etc/apt/trusted.gpg with /etc/apt/trusted.gpg.d As mentioned above, it is equally unsafe.

You can continue to use apt-key now, because it still works.However, it’s best to start transitioning to using signed-by Options, as described below, especially when maintaining third-party repositories.

1. Download the APT repository key

According to Debian Wiki, the key should be downloaded via HTTPS to a location that can only be written by root, for example /usr/share/keyrings.The key name should contain a short name describing the repository, followed by archive-keyring.For example, if the repository is called myrepository, The key file should be named myrepository-archive-keyring.gpg.

The OpenPGP key file can be armored or not. To verify whether the key file is ASCII armor, download the key file and run the following command (note that the key extension can be .gpg, .asc, .key and other names):

file <repo-key>.gpg

If the output of this command is similar to the following, the key is ascii-armored:

repo-key.gpg: PGP public key block Public-Key (old)

That being said, this is how to download and add the repository signing key to the system correctly and securely:

  • For armored OpenPGP keys

To download and add such OpenPGP keys to your system using wget, use:

wget -O- <https://example.com/key/repo-key.gpg> | gpg --dearmor | sudo tee /usr/share/keyrings/<myrepository>-archive-keyring.gpg

What do all operations in this command do/mean:

  • wget Download from https://example.com/key/repo-key.gpg And output the key to stdout (-O-). Replace the URL here with the URL of the key you want to download and add to the system
  • gpg --dearmor: gpg command is the OpenPGP encryption and signature tool; its --dearmor Option to unpack input from OpenPGP ASCII armor
  • sudo tee /usr/share/keyrings/<myrepository>-archive-keyring.gpg: As a super user (sudo), please read the standard input, in this case, the input is gpg --dearmorAnd write it /usr/share/keyrings/<myrepository>-archive-keyring.gpg file.replace <myrepository> Name and descriptive name of the repository key to be added

For example, to add the Signal application APT repository, you can use:

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/signal-archive-keyring.gpg

Or use the command given as an example on Debian Wiki (you need to run as root, for example, after running sudo -i; It uses curl instead wget Download key):

curl <https://example.com/key/repo-key.gpg> | gpg --dearmor > /usr/share/keyrings/<myrepository>-archive-keyring.gpg

Example of adding a Signal APT repository using this command:

curl https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > /usr/share/keyrings/signal-archive-keyring.gpg

  • For non-ASCII armored OpenPGP keys

Use wget to download the OpenPGP key and add it to the system using the following command:

wget -O- <https://example.com/key/repo-key.gpg> | sudo tee /usr/share/keyrings/<myrepository-archive-keyring.gpg>

Or use the command given as an example on Debian Wiki (you need to run as root, for example, after running sudo -i):

wget -O /usr/share/keyrings/<myrepository-archive-keyring.gpg> <https://example.com/key/repo-key.gpg>

I didn’t add an example here because I couldn’t find a third-party repository that uses non-ASCII anti-theft OpenPGP keys.

  • To import the OpenPGP key directly from the key server into the file /usr/share/keyrings:

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/<myrepository>-archive-keyring.gpg --keyserver <hkp://keyserver.ubuntu.com:80> --recv-keys <fingerprint>

instead hkp://keyserver.ubuntu.com:80, You can use some other key servers as needed.

We will import the following examples of OpenPGP keys: Linux Uprising Shutter PPA to /usr/share/keyrings/linux-uprising-shutter-archive-keyring.gpg (You can get the fingerprint by clicking the green “technical details about this PPA” link on the PPA page, which is located under “Add this PPA to the system”):

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/linux-uprising-shutter-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1CC3D16E460A94EE17FE581CEA8CACC073C3DB2A

You might also like: How to prevent packages from being updated in Ubuntu, Debian or Linux Mint [APT]

2. Add a repository sources.list entry

The third-party repository source.list entry should be added to /etc/apt/sources.list.d Directory instead of directly in /etc/apt/sources.list file.

before, /etc/apt/sources.list.d The directory is as follows:

deb https://repository.example.com/debian/ stable main

However, in order to be able to use the key added under step 1, the sources.list entry must now look like this (/etc/apt/sources.list.d/<myrepository.list>):

deb [signed-by=/usr/share/keyrings/<myrepository>-archive-keyring.gpg] <https://repository.example.com/debian/ stable main>

It’s important to note that if you also want to add arch=amd64 Choose with signed-by, You need to separate the two options with a space, as shown below:

deb [arch=amd64 signed-by=/usr/share/keyrings/<myrepository>-archive-keyring.gpg] <https://repository.example.com/debian/ stable main>

For example, to add the Signal repository to your Debian/Ubuntu system, create a file (as the root user; for example, use this file to open the Nano command line text editor: sudo nano /etc/apt/sources.list.d/signal.list)call signal.list in /etc/apt/sources.list.d With the following content (assuming you have downloaded the key as described above, /usr/share/keyrings/signal-archive-keyring.gpg):

deb [arch=amd64 signed-by=/usr/share/keyrings/signal-archive-keyring.gpg] https://updates.signal.org/desktop/apt xenial main

Remember to run sudo apt update After adding a new signing key and repository, update the software source.

You can also add a repository in the Deb822 file format, but try to make things less complicated, I will not explain it here. You can read about it on the Debian Wiki.

You might also like: How to find a package that provides files on Ubuntu, Debian or Linux Mint (installed or not)

How to delete an existing OpenPGP key added to the APT trusted key ring (/etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d)

When adding an OpenGPG key as described above, if you have previously added it to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, you need to delete the key. Failure to do so will not increase security.

Remove the existing OpenPGP key from it /etc/apt/trusted.gpg.d The directory should be easy. This is because the key file name should be descriptive.For example, the Tor repository gpg key file name in this directory on my system is deb.torproject.org-keyring.gpg

So to get rid of existing keys that have been added to /etc/apt/trusted.gpg.d, All you have to do is delete the key file.You need to do this as the root user, so you can use the root user to open the file manager of your choice as the root user admin:// (For example, to open the location as root in Nautilus, press Ctrl + L So you can enter in its address bar admin:///etc/apt/trusted.gpg.d), or delete it from the command line using the following command:

sudo rm /etc/apt/trusted.gpg.d/<myrepository-keyring.gpg>

The following instructions also apply from /etc/apt/trusted.gpg.d table of Contents.

As for deleting the gpg key stored in APT /etc/apt/trusted.gpg, Things are more complicated.Use the following command to list all APT OpenPGP keys imported in two directories /etc/apt/trusted.gpg with /etc/apt/trusted.gpg.d:

apt-key list

The key is stored in /etc/apt/trusted.gpg Should be listed at the top, then from /etc/apt/trusted.gpg.d table of Contents.You need to check the key uid To find out which key you want to delete. Generally, uid should show the company or user who signed the key, and then show its email address.

Key from /etc/apt/trusted.gpg Listed by apt-key Such a list (example):

pub   rsa4096 2016-04-22 [SC]

      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF

uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <[email protected]>

sub   rsa4096 2016-04-22 [E]

The key ID is the last 8 characters of the GPG key fingerprint (so in this example, 2980AECF).

Delete key (from any /etc/apt/trusted.gpg Either /etc/apt/trusted.gpg.d), you can now use:

sudo apt-key del <KEY-ID>

For example, to remove the key from the example above, use:

sudo apt-key del 2980AECF

You might like: How to list all packages in a repository on Ubuntu, Debian or Linux Mint [APT]


Thanks u/ZebNemeth Suggest!