How do I correctly setup a 3rd party repository with a 3rd party key without adding it to the global GPG keyring if I only have their keyid?

Question

I have a 3rd party software that is installed from their own repository and requires a custom key configured. Instead of adding their key to the global keyring, how do I correctly setup the key to be used only for that repository?

Typical error message would look like this:

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY D208507CA14F4FCA

Answer 1

The keyserver.ubuntu.com can be used to retrieve the key, but you must manually confirm that the key is correct before proceeding:

sudo -H gpg --keyserver keyserver.ubuntu.com --recv-keys D208507CA14F4FCA

This command puts the key in your global keyring, and is an intermediate step to export it. The key will be removed at a later step.

-H is needed to handle permissions issue regarding sudo and the HOME directory

Next is a sequence of commands to export the keyring

sudo -H gpg --export --output erlang.gpg D208507CA14F4FCA
mkdir -p /usr/local/share/keyrings
mv ./erlang.gpg /usr/local/share/keyrings/

And then remove the key from the keyring

sudo -H gpg --batch --yes --delete-key D208507CA14F4FCA

Create a subdirectory for sources.list and add the new config to it:

mkdir -p /etc/apt/sources.list.d
echo "deb [signed-by=/usr/local/share/keyrings/erlang.gpg] https://packages.erlang-solutions.com/ubuntu $(lsb_release -s -c) contrib" > /etc/apt/sources.list.d/erlang.list

Note that add-apt-repository doesn't currently support the [signed-by] option

This process sets up the key for just that repository, limited the risk of a compromised 3rd party key from affecting unrelated repositories.