This morning, after returning house from a mini trip, I made a decision to run apt replace
and apt improve
from the command line simply to see whether or not there had been any updates whereas I used to be offline. After issuing the replace command, one thing did not appear fairly proper; I used to be seeing messages alongside the traces of:
W: https://updates.instance.com/desktop/apt/dists/xenial/InRelease: Key is saved in legacy trusted.gpg keyring (/and so on/apt/trusted.gpg), see the DEPRECATION part in apt-key(8) for particulars.
True, it is only a warning, however nonetheless there’s that scary phrase, deprecation, which often means it is going away quickly. So I believed I ought to have a look. Based on what I discovered, I believed my expertise could be value sharing.
It seems that I’ve older configurations for some repositories, artifacts of set up processes from “back in the day,” that wanted adjustment. Taking my immediate from the warning message, I ran man apt-key
on the command line, which offered a number of fascinating bits of knowledge. Near the start of the person web page:
apt-key is used to handle the listing of keys utilized by apt to authenticate packages. Packages which have been authenticated utilizing these keys are thought of trusted.
Use of apt-key is deprecated, besides for the usage of apt-key del in maintainer scripts to take away current keys from the primary keyring. If such utilization of apt-key is desired, the extra set up of the GNU Privacy Guard suite (packaged in gnupg) is required.
apt-key(8) will final be out there in Debian 11 and Ubuntu 22.04.
Last out there in “Debian 11 and Ubuntu 22.04” is just about proper now for me. Time to repair this!
Fixing the apt-key deprecation error
Further on within the man web page, there’s the deprecation part talked about within the warning from apt replace:
DEPRECATION
Except for utilizing apt-key del in maintainer scripts, the usage of apt-key is deprecated. This part reveals substitute the present use of apt-key.
If your current use of apt-key add seems like this:wget -qO- https://myrepo.instance/myrepo.asc | sudo apt-key add -
Then you possibly can straight substitute this with (although notice the advice under):
wget -qO- https://myrepo.instance/myrepo.asc | sudo tee /and so on/apt/trusted.gpg.d/myrepo.asc
Make certain to make use of the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (additionally identified as "GPG key public ring"). The binary OpenPGP format works for all apt variations, whereas the ASCII armored format works for apt model >= 1.4.
Recommended: Instead of putting keys into the /and so on/apt/trusted.gpg.d listing, you possibly can place them wherever in your filesystem by utilizing the Signed-By choice in your sources.listing and pointing to the filename of the important thing. See sources.listing(5) for particulars. Since APT 2.4, /and so on/apt/keyrings is offered as the really useful location for keys not managed by packages. When utilizing a deb822-style sources.listing, and with apt model >= 2.4, the Signed-By choice can be used to incorporate the total ASCII armored keyring straight in the sources.listing with out an extra file.
If you, like me, have keys from non-repository stuff added with apt-key
, then listed below are the steps to transition:
- Determine which keys are in
apt-key keyring /and so on/apt/trusted.gpg
- Remove them
- Find and set up replacements in
/and so on/apt/trusted.gpg.d/
or in/and so on/apt/keyrings/
1. Finding previous keys
The command apt-key listing
reveals the keys in /and so on/apt/trusted.gpg
:
$ sudo apt-key listing
[sudo] password:
Warning: apt-key is deprecated. Manage keyring recordsdata in trusted.gpg.d as an alternative (see apt-key(8)).
/and so on/apt/trusted.gpg
--------------------
pub rsa4096 2017-04-05 [SC]
DBE4 6B52 81D0 C816 F630 E889 D980 A174 57F6 FB86
uid [ unknown] Example <help@instance.com>
sub rsa4096 2017-04-05 [E]pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]
[...]
Also proven afterward are the keys held in recordsdata within the /and so on/apt/trusted.gpg.d
folder.
[ Related read How to import your existing SSH keys into your GPG key ]
2. Removing previous keys
The group of quartets of hex digits, for instance DBEA 6B52...FB86
, is the identifier required to delete the undesirable keys:
$ sudo apt-key del "DBEA 6B52 81D0 C816 F630 E889 D980 A174 57F6 FB86"
This removes the Example key. That’s actually simply an instance, and in actuality you’d do away with keys that truly exist. For occasion, I ran the identical command for every of the true keys on my system, together with keys for Google, Signal, and Ascensio. Keys in your system will differ, relying on what you could have put in.
3. Adding keys
Getting the substitute keys depends on the appliance. For instance, Open Whisper affords its key and an evidence of what to do to put in it, which I made a decision to not comply with because it places the important thing in /usr/share/keyrings
. Instead, I did this:
$ wget -O- https://updates.sign.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
$ sudo mv signal-desktop-keyring.gpg /and so on/apt/trusted.gpg.d/
$ sudo chown root:root /and so on/apt/trusted.gpg.d/signal-desktop-keyring.gpg
$ sudo chmod ugo+r /and so on/apt/trusted.gpg.d/signal-desktop-keyring.gpg
$ sudo chmod go-w /and so on/apt/trusted.gpg.d/signal-desktop-keyring.gpg
Ascencio additionally affords directions for putting in OnlyOffice that embrace coping with the GPG key. Again I modified their directions to swimsuit my wants:
$ gpg --no-default-keyring --keyring gnupg-ring:~/onlyoffice.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
$ sudo mv onlyoffice.gpg /and so on/apt/trusted.gpg.d/
$ sudo chown root:root /and so on/apt/trusted.gpg.d/onlyoffice.gpg
$ sudo chmod ugo+r /and so on/apt/trusted.gpg.d/onlyoffice.gpg
$ sudo chmod go-w /and so on/apt/trusted.gpg.d/onlyoffice.gpg
As for the Google key, it’s managed (accurately, it seems) via the .deb
bundle, and so a easy reinstall with dpkg -i
was all that was wanted. Finally, I ended up with this:
$ ls -l /and so on/apt/trusted.gpg.d
whole 24
-rw-r--r-- 1 root root 7821 Sep 2 10:55 google-chrome.gpg
-rw-r--r-- 1 root root 2279 Sep 2 08:27 onlyoffice.gpg
-rw-r--r-- 1 root root 2223 Sep 2 08:02 signal-desktop-keyring.gpg
-rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg
Expired keys
The final drawback key I had was from an outdated set up of QGIS. The key had expired, and I’d set it as much as be managed by apt-key
. I ended up following their directions to the letter, each for putting in a brand new key in /and so on/apt/keryings
and their instructed format for the /and so on/apt/sources.listing.d/qgis.sources
set up configuration.
[ Download the Linux cheat sheets for apt or dnf ]
Linux system upkeep
Now you possibly can run apt replace
with no warnings or errors associated to deprecated key configurations. We apt
customers simply want to recollect to regulate any previous set up directions that rely on apt-key
. Instead of utilizing apt-key
, you have to as an alternative set up a key to /and so on/apt/trusted.gpg.d/
or /and so on/apt/keyrings/
, utilizing gpg
as wanted.