Solve: Legacy trusted.gpg keyring – ‘apt-key’ Deprecation on Ubuntu 

Solve APT key warning on Ubuntu 22.04 or in other latest versions: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

If we want to install some software on Ubuntu Linux that is not present in the official repository, then we need to use the repository or binary of that tool. However, the repository method is preferable because of future updates. To add any third-party repository we also need to add a new GPG key / public key issued by the developers of the packages we want to install. It helps the system to confirm the packages we are receiving are the same as those published by its developers. Otherwise, the system would not have a relationship of trust – the installation of packages from untrusted sources would be rejected

Earlier the public key is usually downloaded and passed directly to apt-key add, for example till Ubuntu 20.04. However, with Ubuntu in later versions of Ubuntu such as 22.04 LTS, this method has been deprecated. Although yet keys added using the old method in Debian 11 or Ubuntu 22.04 are only marked as deprecated and therefore still available. But in the next major version of these OS, this would be removed as well.

So why is apt-key deprecated?

The reason why apt-key is deprecated is the way of handling the keys. Earlier we use the apt-key command to add a new third-party key in a file called trusted.gpg which also holds the keys of the default system repository as well.  However, that is not an issue. Although adding keys individually in trusted.gpg.d directory under /etc/apt/ for now will remove the error of apt-key deprecated but if we go by security perspective both are doing the same thing. Keys once added either in trusted.gpg or under a directory trusted.gpg.d, the APT will consider them as Trusted ones and gives them the ability to replace any package of the system; which weakens the security of the system.

Hence, it would be better if a key is only accepted for the associated repository. So a 1:1 relationship, instead of a general, unconditional relationship of trust. For this reason, apt-key has been marked as obsolete to switch to this new method. That is the reason why we are getting an APT-key deprecated warning.

Well, currently to remove the warning we can simply save our keys trusted.gpg.d folder. However, we will also discuss the right way to convert and create a Key to use.

How to  Fix Warning: apt-key is deprecated in Ubuntu 22.04 Linux

#1st Method: Create a GPG file using the existing Key:

Check APT-Key List

If after adding some repository and its GPG key using the add-apt key method you start getting a warning of Key deprecated then on your terminal, first list the available keys. For that use the given command:

sudo apt-key list

You will see a list of all added keys trusted on your system. Now, find the software repository key that is creating a problem. For example, here in our case, we have added a PUP key of the MySQL repository that started giving the warning.

 

Create a GPG key for trusted.gpg.d

Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key. Hence, what we do is – copy the last eight digits of the Pub key given for it.

Fix Apt Key Deprecation Error

Once we have copied that, use the following syntax to convert it into a GPG key and save it under the Trusted.gpg.d folder:

sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpg

In the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them. And also replace “key-name” with whatever name you want to use to save the key in GPG format. After that hit the Enter Key.

For example:

sudo apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg

Now, run the system update command…

sudo apt update

 

#2nd Method: Create a GPG key only accepted for the associated repository

Create a Keyrings folder

First of all, you need a folder: /etc/apt/trusted.gpg.d should not be used, but a separate folder. This is freely selectable, a useful path could be e.g. /usr/local/share/keyrings or already available one /usr/share/keyrings

sudo mkdir /usr/local/share/keyrings

Next, we need the PGP public key that we want to add to our system for a particular repository. So, fi, first download it as a file. Also, before going further check the file, whether it is really a PGP key.

for example:

wget -q -O key.gpg link-to-key

Replace link-to-key with the actual URL to download the key you want to use with the repository.

To show you how? Let’s download the key of Webmin to use it with its repository.

wget -q -O key.gpg http://www.webmin.com/jcameron-key.asc

Check whether the key is valid or not

file key.gpg

Output:

key.gpg: PGP public key block Public-Key (old)

Note: Don’t be confused by old, “PGP public key block Public-Key (old)” is fine.

Now we need to create a key ring that we can pass to APT:

gpg --no-default-keyring --keyring ./tmp.gpg --import key.gpg

Export the created key:

gpg --no-default-keyring --keyring ./tmp.gpg --export --output webmin-key.gpg

Create GPG key

Remove the temporary keys:

rm tmp.gpg key.gpg

webmin-key.gpg is the final key, we need to move to the Keyrings folder or Trusted.gpg.d we have created.

If you move the key the to Trusted.gpg.d folder then you don’t need to point your repository manually to the key location. However, security wise the problem will be the same. APT will trust this key for all packages.

Point the created key to use only for the added Repo

Hence, to solve this and let APT trust the created key only for packages getting from a single repository of Webmin. Move it to the folder we have created.

sudo mv webmin-key.gpg /usr/local/share/keyrings

Go to the repository file for which you have added the GPG key and edit the same. For example, here we are using the Webmin repo file. For that, we need to edit the /etc/apt/sources.list.d/webmin.list. In the same way, you have to edit your software repo file. And point the repo URL link to the created Key.

Syntax:

deb [arch=amd64 signed-by= created-key-path] package-repository-url

Example:

deb [signed-by=/usr/local/share/keyrings/webmin-key.gpg] https://download.webmin.com/download/repository sarge contrib

Of course, this must be adjusted according to the architecture, the path you have chosen, and the package source URL.

Now you can update the package sources normally via sudo apt update so that apt can load the package index from the newly added repository. Your APT will trust the key for the added repository packages not for the whole system.

 

3rd Method: Quick and Forceful Method

Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one.  It is a forceful method because we are not converting keys but instead directly moving legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other quick way for your Legacy key hen here is the one to use:

cd /etc/apt
sudo cp trusted.gpg trusted.gpg.d

 

 

 

2 thoughts on “Solve: Legacy trusted.gpg keyring – ‘apt-key’ Deprecation on Ubuntu ”

  1. WRONG location! Please correct!

    – Create a Keyrings folder shouldn’t:
    sudo mkdir /usr/local/share/keyrings
    – But should:
    sudo mkdir /usr/share/keyrings (without ../local/..)

    itsfoss.com/apt-key-deprecated/

    Reply
    • It is not the wrong location. There is no hard and fast rule to save the keys. You can choose the even use Documents folder for that. The thing is, we have to point or set the location of the key in the repository list to tell the system where to look for the key for a particular repository. That’s it.

      The main idea is to create a key that is only readable by the system for the repository we have assigned. Hence, we are here the master, to tell the system where to look for the GPG key.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.