apt-key deprecation warning when updating system: "Key is stored in legacy trusted.gpg keyring"

Question

Recently I've noticed some issues when running apt where the system will warn me of a keyring deprecation:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
8 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: https://packages.microsoft.com/repos/edge/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This doesn't stop me from performing the update, but I would much rather not see this when updating my system. How are we supposed to store trusted GPG keys going forward?

Does this answer your question? What commands (exactly) should replace the deprecated apt-key? — OrangeDog, Mar 20 '22 at 15:29
After frustration that Ubuntu would change its GPG tools and cause everyone to have to deal with this, entering asinine commands to fix, which didnt work for me to even just remove the key: sudo apt-key del <last 8 chars from sudo apt-key list | grep -i -C 5 <pgk> >, it seems that removing the package and the source file grep <pkg> /etc/apt/sources.list.d/* and reinstalling worked. apt purge <pkg> might remove the sources file, but likely also config files. — alchemy, Apr 12 '23 at 02:17
doing sudo apt remove sublime-text and removing all the the sources files, followed by sudo apt update; sudo apt install sublime-text did not fix the problem for me. I guess it is not important. — tobi delbruck, Jan 25 '24 at 07:30

score 257 · Accepted Answer · edited Dec 28 '23 at 22:01

257

One way to resolve this is to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings. Fortunately, it's not too difficult:

Open Terminal (if it's not already open)

List existing keys:

$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2017-05-08 [SCEA]
      1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
uid           [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
sub   rsa4096 2017-05-08 [S]
pub   rsa2048 2015-10-28 [SC]
      BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
uid           [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>

From here, we can export a key:

sudo apt-key export BE1229CF | sudo gpg --dearmor -o /usr/share/keyrings/microsoft.gpg

^{Note: The BE1229CF value comes from the last 8 characters of the pub code.}

The following message will likely appear:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Now we can update our apt source file for the repository (e.g., /etc/apt/sources.list.d/microsoft.list), adding a signed-by tag:
```
deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge/ stable main
```

Update apt to confirm the message is gone:

sudo apt update
...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up-to-date.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Remove the original signature:
```
sudo apt-key del BE1229CF
```

This can be done with each of the warning messages. Once done, apt will no longer complain.

edited Dec 28 '23 at 22:01

GAD3R

3,507

answered Mar 19 '22 at 22:53

matigo

22,138
7
45
75

8

Related Q&A: What commands (exactly) should replace the deprecated apt-key? – Artur Meinild Mar 20 '22 at 13:36
1

@ArturMeinild this is good to know – matigo Mar 20 '22 at 14:07
7

You should use /usr/share/keyrings, not /etc/apt/keyrings - https://wiki.debian.org/DebianRepository/UseThirdParty – OrangeDog Mar 20 '22 at 15:28
6

regarding: Note: The BE1229CF value comes from the last 8 characters of the pub code. — can you elaborate more, the "BE1229CF" is clearly not anywhere on screen here. You did some bit operations to get this value or what? – Martin Mucha May 12 '22 at 12:29
3

@MartinMucha take a look at the code block in item 1. You'll see BE12 29CF on the second-last line. That's where it comes from – matigo May 12 '22 at 13:17
@matigo goddammit, no idea how I can overlook it. Thanks. I copypasted the whole line into apostrophes and that worked as well, but this is better. – Martin Mucha May 13 '22 at 11:27
@matigo See my simplified answer here. – heynnema May 21 '22 at 01:22
1

Is it possible to store the *.gpg files such that apt finds them automatically? I think the signed-by attribute in the repo definition is really ugly. Especially with an absolute path. – mefiX Jul 17 '22 at 11:18
Are you creating list names to go with specific keys? In the example, the BE1229CF would then align with the microsoft list, correct? – DontAsk Aug 06 '22 at 17:08
@holocronweaver Is there a way for me to automate this using a script? I have 17 keys that need to be migrated, and while it's a great solution for a few keys, doing this one by one for all 17 will take way too long and the solution provided by Zanna (below) is really only short term at best, and possibly a security risk at worst. – EvilSupahFly Aug 10 '22 at 03:15
2

what if an app automatically configures the .list file, thus reverting the changes each time? For example, this warning is found inside the slack.list file:
`### THIS FILE IS AUTOMATICALLY CONFIGURED ###

You may comment out this entry, but any other modifications may be lost.`

How does one get around this corner case, i.e. making sure the signed-by addition is kept and not reverted by the apt source maintainer?
– dimisjim Aug 13 '22 at 09:39
How do you know what to name the keyring? So like in your posted example you use /usr/share/keyrings/microsoft.gpg so you name the file microsoft.gpg . So i have a key like pub rsa2048 2016-02-17 [SC] 9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F uid [ unknown] DigitalOcean Insights Engineering <sonar:agent@digitalocean.com> sub rsa2048 2016-02-17 [E]. How do i know what to name the file or does it matter. – Steve K Oct 08 '22 at 18:44
not too difficult? https://askubuntu.com/a/1408456/129227 is not too difficult ... – Wolfgang Fahl Oct 30 '22 at 08:09
@SteveK it's likely that it doesn't matter, but you can always keep them consistent with how the other keys have been named under /usr/share/keyrings/ and compare it with the filenames under /etc/apt/sources.list.d/*.list. In my case, they are quite consistent and the logic is very obvious to follow! – Gwyneth Llewelyn Nov 03 '22 at 02:29
I don't follow how you get this https://packages.microsoft.com/repos/edge/ stable main. I also get an error when doing that : zsh: bad pattern: [arch=amd64 – James Nov 14 '22 at 15:05
In my case I needed to export the file to: /etc/apt/trusted.gpg.d folder – Melroy van den Berg Jan 02 '23 at 23:00
I tried it for the Sublime Text error (similar to the example shown except the file names would be different) and I found that the original sublime-text.list entry had been commented out - "#disabled on upgrade to jammy". Likewise with some other apps' .list files, e.g. vscode.list, vivaldi.list, etc. – Trunk Feb 18 '23 at 15:35
Any available playbook to automate the steps with Ansible? – Ouss Apr 13 '23 at 21:49
this is too much manual work. the solution listed below is a better approach: https://askubuntu.com/a/1408456/652884 – Marc Compere Jul 18 '23 at 17:58
Donc't forget a sudo chmod 644 on the new key in keyring. – jmary Aug 16 '23 at 08:51
1

You don't need to de-armor it or add it with signed-by=; instead just do sudo apt-key export {keyid} | sudo tee /etc/apt/trusted.gpg.d/{newname}.asc and run sudo apt update again. Not only will it find it without any sources.list edits, but the key will be in an armored format which is easier to manage. – isaaclw Aug 22 '23 at 18:32
apt-key is deprecated – Pathros Oct 01 '23 at 16:39
@James you have to edit the file corresponding to your package located in /etc/apt/sources.list.d and in this example it's /etc/apt/sources.list.d/microsoft.list. Just do sudo vim /etc/apt/sources.list.d/microsoft.list and you will see that deb [arch=amd64] https://packages.microsoft.com/repos/edge/ stable main is already there so then you can just add the signed-by=/usr/share/keyrings/microsoft.gpg inside of [arch=amd64] – Pachuca Nov 23 '23 at 15:54

score 169 · Answer 2 · edited May 16 '22 at 17:34

169

try this

cd /etc/apt
sudo cp trusted.gpg trusted.gpg.d

edited May 16 '22 at 17:34

Zanna

70,465

answered May 14 '22 at 06:51

Mahmoud

1,857

$ cd /etc/apt $ sudo cp trusted.gpg trusted.gpg.d Above worked for me. – Mark C May 16 '22 at 08:27
22

For reviewers: this makes sense because /etc/apt/trusted.gpg is the old form of one singular keyring. In the modern apt, each keyring is stored individually in /etc/apt/trusted.gpg.d. Moving the legacy database into /etc/apt/trusted.gpg.d/ is the workaround to readding repositories manually and having apt update the key storage automatically. This is one workaround, though it's not the best nor most APT-preferred solution it is a solution nonetheless. – Thomas Ward May 16 '22 at 14:37
2

Two first time posters have commented (as answers) that this worked for them. This post should not be deleted. I am up voting this answer on the behalf of the two new users. – user68186 May 16 '22 at 15:41
14

The fact that something works does not equal that it is a good or viable solution. Depending on which keys are stored inside trusted.gpg, this could potentially be a security breach. – Artur Meinild May 16 '22 at 15:46
4

Ubuntu 22.04. Worked for me as well. Thanks.. – sundowatch Jul 17 '22 at 07:52
1

folder trusted.gpg.d is supposed to have one key per file, is it not? apt does not manipulate the copied file in any way. apt-key list still prints the warning too, even though I moved the file and it is recognized. Also cp makes two copies of the same file. – Валерий Заподовников Feb 17 '23 at 17:23
1

Worked on Pop_OS 22.04 – Andor Kiss Feb 20 '23 at 16:37
Worked for me too on elementary OS – tomriddle99 Jun 19 '23 at 04:09
2

I opted for a symbolic link in case more keys are added to trusted.gpg later: sudo ln -s ../trusted.gpg /etc/apt/trusted.gpg.d/ – Jayen Jun 22 '23 at 04:29
Worked perfect for me on Ubuntu 22.04.
I had the following warnings.

W: https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Ubuntu_22.04/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. W: http://packages.osrfoundation.org/gazebo/ubuntu-stable/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
– Max Jun 23 '23 at 11:00
Thank you! It helped. – Maxim Masiutin Jan 27 '24 at 11:22

score 42 · Answer 3 · answered May 22 '22 at 13:58

The easy way to fix these warning messages generated by sudo apt update...

W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://apt.keepsolid.com/ubuntu/dists/groovy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.virtualbox.org/virtualbox/debian/dists/hirsute/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.opensuse.org/repositories/home:/IBBoard:/cawbird/xUbuntu_22.04/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/solaar-unifying/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/yannubuntu/boot-repair/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Note: These warning messages can be generated by any enabled repo or ppa in Software & Updates "Other Software" tab.

Example fix:

For this warning message with sudo apt update...

W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

We look in sudo apt-key list and find this entry for xbmc...

pub   rsa1024 2009-01-20 [SC]
      1897 01DA 570C 56B9 488E  F60A 6D97 5C47 91E7 EE5E
uid           [ unknown] Launchpad PPA for XBMC for Linux

Then we convert this entry to a .gpg file, using the last 8 numeric characters from above...

sudo apt-key export 91E7EE5E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/team-xbmc.gpg

Repeat the above commands for each warning message generated by sudo apt update.

Note: Partially taken from the accepted answers here and here.

I like this answer better as it puts the keys in /etc/apt/trusted.gpg.d/ — Tod Thomson, Oct 09 '22 at 01:33
+1 for me; the top two answers fail on my Linux Mint Vanessa system with zsh: bad pattern: [arch=amd64 — AlMo320, Oct 20 '22 at 19:56
Thank you for this. Makes me wonder why there's no official tool that does that. It seems they attempted to target a security vulnerability, yet failed miserably in providing an easy way to actually implement it in existing installations. — TheMechanic, Feb 19 '23 at 20:30
@PeterKrauss As it says in the answer, issue a sudo apt-key list command, and use the last 8 characters of the output... "91E7 EE5E" with no spaces. — heynnema, Mar 19 '23 at 03:18

score 7 · Answer 4 · answered Jun 07 '22 at 22:03

7

Considering all the good suggestions provided, I've crafted a helper oneliner to automate the process for all keys:

sudo apt-key list 2>&1 | grep -E '(trusted.gpg.d)' -A 3 | grep -v '^\-\-' | grep -v '^pub ' | sed 's@.*/trusted.gpg.d/\(.*\)@\1@g' | awk 'NR%2{printf "%s ",$0;next;}1' | awk '{print "sudo apt-key export "$10$11" | sudo gpg --dearmour -o /usr/share/keyrings/"$1}' | xargs -I{} eval("{}")

answered Jun 07 '22 at 22:03

DiRaOL

71

Thanks, but gives me an error: bash: syntax error near unexpected token (' it seems some warning output is in the way, so I could still use it by dropping the final | xargs and then copy-pasting output manually. – Epskampie Jun 08 '22 at 12:23
4

Works for me, but I need to change a little bit: sudo apt-key list 2>&1 | grep -E '\/(trusted.gpg.d)' -A 3 | grep -v '^\-\-' | grep -v '^pub ' | /bin/sed 's@.*/trusted.gpg.d/$.*$@\1@g' | /bin/awk 'NR%2{printf "%s ",$0;next;}1' | /bin/awk '{print "sudo apt-key export "$10$11" | sudo gpg --dearmour -o /usr/share/keyrings/"$1}' | xargs -I'{}' bash -c "eval '{}'". On first grep, you need to use regex '\/(trusted.gpg.d)' instead, either match with warning message. At the end, I need to change xargs execute. – Bernardo Loureiro Jun 29 '22 at 14:41
1

thanks for this! my pass: sudo apt-key list | sudo awk -v n=4 'n==3{k=$(NF-1)$NF;cmd="apt-key export "k"|gpg --dearmour -o "d;print cmd;system(cmd)}/^\/.*\/trusted\.gpg\.d\//{d=$1;n=0}{n++}' – keithpjolley Aug 31 '22 at 20:10

score 1 · Answer 5 · edited Nov 10 '22 at 19:53

1

I solved it with some commands like below.

gpg --refresh-keys

this will update all the key resolve the problem

edited Nov 10 '22 at 19:53

Sarthak Tiwari

81

answered May 26 '22 at 15:19

Zidan Rahmandani

35

''' for KEY in $(
apt-key --keyring /etc/apt/trusted.gpg list
| grep -E "(([ ]{1,2}(([0-9A-F]{4}))){10})"
| tr -d " "
| grep -E "([0-9A-F]){8}\b"
); do K=${KEY:(-8)} apt-key export $K
| sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/imported-from-trusted-gpg-$K.gpg done ''' – Muhammad Irfan Aslam Jan 18 '23 at 10:26
5

This did not work for me, Ubuntu 22.04.1 LTS, Jammy – M.K Feb 08 '23 at 13:37
1

Didn't work for me in Kali 2022.4 – J. Scott Elblein Feb 24 '23 at 02:17

score 1 · Answer 6 · answered Aug 22 '23 at 18:38

There is no need to edit sources.list if you use the apt/trust.gpg.d/ folder and you're on debian.

Follow the other steps to get the key id:

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2012-04-01 [SC]                                                                                                                                  
      A0DA 38D0 D76E 8B5D 6388  7281 9165 938D 90FD DD2E        
uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>                                                            
sub   rsa2048 2012-04-01 [E]

And then run:

apt-key export 90FDDD2E | sudo tee /etc/apt/trusted.gpg.d/raspberry.debian.armhf.asc

You can delete the trust.gpg file, but the errors go away without deleting it.

score 0 · Answer 7 · answered Feb 08 '23 at 13:46

In my case, solutions above did not work. Maybe it's because it is a specific case. The warning:

9 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: https://packages.cloud.google.com/apt/dists/coral-cloud-stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packages.cloud.google.com/apt/dists/coral-edgetpu-stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This fixed it for me:

wget -O- https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo tee /etc/apt/trusted.gpg.d/coral-edgetpu.gpg

What does that do? Can you give a more general solution? I have the same proble with other programs. — cipricus, Jun 24 '23 at 12:04
I guess it's a way of adding third party libraries in an updated way. These 2 references might help! ref1 and ref2 @cipricus — M.K, Jun 24 '23 at 15:11

apt-key deprecation warning when updating system: "Key is stored in legacy trusted.gpg keyring"

7 Answers7

You may comment out this entry, but any other modifications may be lost.`

Linked

Related