Solve APT key warning on Ubuntu 22.04 or in other latest versions: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
If we want to install some software on Ubuntu Linux that is not present in the official repository, then we need to use the repository or binary of that tool. However, the repository method is preferable because of future updates. To add any third-party repository we also need to add a new GPG key / public key issued by the developers of the packages we want to install. It helps the system to confirm the packages we are receiving are the same as those published by its developers. Otherwise, the system would not have a relationship of trust – the installation of packages from untrusted sources would be rejected
Earlier the public key is usually downloaded and passed directly to apt-key add, for example till Ubuntu 20.04. However, with Ubuntu in later versions of Ubuntu such as 22.04 LTS, this method has been deprecated. Although yet keys added using the old method in Debian 11 or Ubuntu 22.04 are only marked as deprecated and therefore still available. But in the next major version of these OS, this would be removed as well.
So why is apt-key deprecated?
The reason why apt-key is deprecated is the way of handling the keys. Earlier we use the apt-key command to add a new third-party key in a file called trusted.gpg which also holds the keys of the default system repository as well. However, that is not an issue. Although adding keys individually in trusted.gpg.d directory under
/etc/apt/ for now will remove the error of apt-key deprecated but if we go by security perspective both are doing the same thing. Keys once added either in trusted.gpg or under a directory trusted.gpg.d, the APT will consider them as Trusted ones and gives them the ability to replace any package of the system; which weakens the security of the system.
Hence, it would be better if a key is only accepted for the associated repository. So a 1:1 relationship, instead of a general, unconditional relationship of trust. For this reason, apt-key has been marked as obsolete to switch to this new method. That is the reason why we are getting an APT-key deprecated warning.
Well, currently to remove the warning we can simply save our keys trusted.gpg.d folder. However, we will also discuss the right way to convert and create a Key to use.
How to Fix Warning: apt-key is deprecated in Ubuntu 22.04 Linux
#1st Method: Create a GPG file using the existing Key:
Check APT-Key List
If after adding some repository and its GPG key using the add-apt key method you start getting a warning of Key deprecated then on your terminal, first list the available keys. For that use the given command:
sudo apt-key list
You will see a list of all added keys trusted on your system. Now, find the software repository key that is creating a problem. For example, here in our case, we have added a PUP key of the MySQL repository that started giving the warning.
Create a GPG key for trusted.gpg.d
Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key. Hence, what we do is – copy the last eight digits of the Pub key given for it.
Once we have copied that, use the following syntax to convert it into a GPG key and save it under the Trusted.gpg.d folder:
sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpg
In the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them. And also replace “key-name” with whatever name you want to use to save the key in GPG format. After that hit the Enter Key.
sudo apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg
Now, run the system update command…
sudo apt update
#2nd Method: Create a GPG key only accepted for the associated repository
Create a Keyrings folder
First of all, you need a folder: /etc/apt/trusted.gpg.d should not be used, but a separate folder. This is freely selectable, a useful path could be e.g. /usr/local/share/keyrings or already available one /usr/share/keyrings
sudo mkdir /usr/local/share/keyrings
Next, we need the PGP public key that we want to add to our system for a particular repository. So, fi, first download it as a file. Also, before going further check the file, whether it is really a PGP key.
wget -q -O key.gpg link-to-key
Replace link-to-key with the actual URL to download the key you want to use with the repository.
To show you how? Let’s download the key of Webmin to use it with its repository.
wget -q -O key.gpg http://www.webmin.com/jcameron-key.asc
Check whether the key is valid or not
key.gpg: PGP public key block Public-Key (old)
Note: Don’t be confused by old, “PGP public key block Public-Key (old)” is fine.
Now we need to create a key ring that we can pass to APT:
gpg --no-default-keyring --keyring ./tmp.gpg --import key.gpg
Export the created key:
gpg --no-default-keyring --keyring ./tmp.gpg --export --output webmin-key.gpg
Remove the temporary keys:
rm tmp.gpg key.gpg
webmin-key.gpg is the final key, we need to move to the Keyrings folder or Trusted.gpg.d we have created.
If you move the key the to Trusted.gpg.d folder then you don’t need to point your repository manually to the key location. However, security wise the problem will be the same. APT will trust this key for all packages.
Point the created key to use only for the added Repo
Hence, to solve this and let APT trust the created key only for packages getting from a single repository of Webmin. Move it to the folder we have created.
sudo mv webmin-key.gpg /usr/local/share/keyrings
Go to the repository file for which you have added the GPG key and edit the same. For example, here we are using the Webmin repo file. For that, we need to edit the /etc/apt/sources.list.d/webmin.list. In the same way, you have to edit your software repo file. And point the repo URL link to the created Key.
deb [arch=amd64 signed-by= created-key-path] package-repository-url
deb [signed-by=/usr/local/share/keyrings/webmin-key.gpg] https://download.webmin.com/download/repository sarge contrib
Of course, this must be adjusted according to the architecture, the path you have chosen, and the package source URL.
Now you can update the package sources normally via sudo apt update so that apt can load the package index from the newly added repository. Your APT will trust the key for the added repository packages not for the whole system.
3rd Method: Quick and Forceful Method
Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one. It is a forceful method because we are not converting keys but instead directly moving legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other quick way for your Legacy key hen here is the one to use:
sudo cp trusted.gpg trusted.gpg.d