110

I get 3 warnings after Ubuntu 22.04 update on a Digital Ocean LAMP stack droplet.

W: http://repo.mysql.com/apt/ubuntu/dists/bionic/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://pkg.cloudflare.com/dists/trusty/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

How to move the keys to the right location and delete the old keys?

EDIT

sudo apt-key list

pub   rsa2048 2016-02-17 [SC]
      9FE3 B226 BD77 5196 D8C2  E599 DE88 104A A4C6 383F
uid           [ unknown] DigitalOcean Insights Engineering <sonar-agent@digitalocean.com>
sub   rsa2048 2016-02-17 [E]

pub   rsa2048 2015-01-28 [SC]
      FBA8 C0EE 6361 7C5E ED69  5C43 254B 391D 8CAC CBF8
uid           [ unknown] CloudFlare Software Packaging <help@cloudflare.com>


pub   dsa1024 2003-02-03 [SCA] [expired: 2022-02-16]
      A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
uid           [ expired] MySQL Release Engineering <mysql-build@oss.oracle.com>


pub   rsa4096 2021-12-14 [SC] [expires: 2023-12-14]
      859B E8D7 C586 F538 430B  19C2 467B 942D 3A79 BD29
uid           [ unknown] MySQL Release Engineering <mysql-build@oss.oracle.com>
sub   rsa4096 2021-12-14 [E] [expires: 2023-12-14]


/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg


pub   rsa4096 2016-11-02 [SC]
      7BF5 7606 6ADA 6572 8FC7  E70A 8C47 BE8E 75BC A694
uid           [ unknown] Launchpad PPA for certbot


/etc/apt/trusted.gpg.d/ondrej-ubuntu-apache2.gpg


pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý


/etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg


pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý


/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg


pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>


/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg


pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

ls -l /etc/apt/sources.list.d

-rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list
-rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list.distUpgrade
-rw-r--r-- 1 root root 274 Mar 13  2020 certbot-ubuntu-certbot-xenial.list.save
-rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list
-rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list.distUpgrade
-rw-r--r-- 1 root root  43 Mar 13  2020 cloudflare-main.list.save
-rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list
-rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list.distUpgrade
-rw-r--r-- 1 root root  67 Mar 13  2020 digitalocean-agent.list.save
-rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list
-rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list.distUpgrade
-rw-r--r-- 1 root root 137 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list
-rw-r--r-- 1 root root 135 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list.distUpgrade
-rw-r--r-- 1 root root 123 Apr  8 15:51 ondrej-ubuntu-php-xenial.list
-rw-r--r-- 1 root root 124 Apr  8 15:51 ondrej-ubuntu-php-xenial.list.distUpgrade
-rw-r--r-- 1 root root 125 Apr  8 19:11 signal-xenial.list
Serge Stroobandt
  • 5,268
  • 1
  • 48
  • 59
newcat1000
  • 1,442
  • 2
    You should follow the indications in https://askubuntu.com/questions/1398344/apt-key-deprecation-warning-when-updating-system answer but customizing them for your three repos. If you [edit] your post with the output of sudo apt-key list and ls -l /etc/apt/sources.list.d, it is possible to provide an answer specific for your scenario. – Lorenz Keel Apr 22 '22 at 06:12
  • Google guided me here after Mint21 System Update reported W: http://ppa.launchpad.net/b-rad/kernel+mediatree+hauppauge/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. I don't really know what I'm, doing, but my .bash_history shows that I ran sudo add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge and sudo apt-get install linux-firmware-hauppauge when trying to get my TV tuner working.... – FumbleFingers Aug 11 '22 at 12:30
  • All the answers (here and linked) looked really complicated, so in the end I did a full system backup, then just "deleted" the two Hauppage entries under SortwareSources -> PPAs, and the problem went away. The TV tuner (actually, an Afatech AF9015, not Hauppage, which I have on a different computer) still works, so I guess everything's okay. – FumbleFingers Aug 11 '22 at 12:35
  • You don't need sudo for apt-key list – Daniel Stevens Sep 27 '22 at 20:25
  • 1
    NOTE: In the other answers, I added an ACTUAL answer that is easy and correct. No fumbling or even CLI needed! I can’t add it here because this is a duplicate. But I added it to all the others that show up when you search. –  Dec 08 '22 at 13:03
  • Closed (another one) in error as this is not a duplicate. It does not matter if answers exist elsewhere, the only question that comes close has an incompete answer as accepted. There ought to be sanctions.... – mckenzm Feb 17 '24 at 23:43

1 Answers1

157

This answer is a customization of the one provided by matigo user here. You need to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings for every repo.

  1. Let's begin with DigitalOcean key. Open Terminal and export the 9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F key:

    apt-key export A4C6383F | sudo gpg --dearmour -o /usr/share/keyrings/digitalocean-agent.gpg

    Note: The A4C6383F value comes from the last 8 characters of the pub code from the apt-key list output.

  2. Now we can update our apt source file /etc/apt/sources.list.d/digitalocean-agent.list), adding a signed-by tag. Open it by:

    sudo -H gedit /etc/apt/sources.list.d/digitalocean-agent.list

    and add the tag [arch=amd64 signed-by=/usr/share/keyrings/digitalocean-agent.gpg] just after the deb keyword and before the URL.

    I don't know the exact content of digitalocean-agent.list, but it should be eventually something similar to:

    deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] packages.microsoft.com/repos/edge stable main

  3. Run sudo apt update to confirm the message is gone

  4. If the message is gone, remove the original signature:

    sudo apt-key del A4C6383F

  5. Repeat the steps for cloudflare-main.list, generating the cloudflare-main.gpg key starting from 8CACCBF8 key.

  6. Repeat the steps for mysql.list, generating the mysql.gpg key starting from 5072E1F5 key.

Consider that the messages you have are only warnings: if something goes bad, restore the files as they are and keep the warnings, they are not harmful.

Benjamin Loison
  • 184
Lorenz Keel
  • 8,905
  • Note: In my /etc/apt/sources.list.d/mysql.list there are 3 deb repositories and 1 deb-src repository. I added the [arch=amd64 signed-by=/usr/share/keyrings/mysql.gpg] in the deb-src repository. – newcat1000 Apr 24 '22 at 11:17
  • Do note that the "signed-by" repositories won't show up in the "Other Software" tab of the "Software & Updates" application any more afterwards. – Forage May 02 '22 at 06:50
  • Indeed @Forage, it did disappear. Why is that and is there a way to prevent this ? I'd like to keep every PPA I added in the same place (or am I misunderstanding the goal of the "Other Software" tab ?) – Antoine Laffargue May 04 '22 at 12:10
  • 1
    @AntoineLaffargue I can't exactly tell you why, but I assume the "Software & Updates" application simply can't deal with repositories that have the additional argument and needs to be modified in order to do so. Pretty awkward that deprecation warnings are already given without the whole software chain being able to deal with the recommended fix yet. For now you either accept those warnings, accept the lack of seeing the modified repositories or you place the keys in /etc/apt/trusted.gpg.d/ without adding the signed-by argument. – Forage May 04 '22 at 13:44
  • 3
    Please see my simplified answer here. – heynnema May 21 '22 at 01:24
  • 1
    You don't need to use sudo with apt-key export. – Daniel Stevens Sep 27 '22 at 20:56
  • I get a Warning: "apt-key is deprecated. Manage keyring files in trusted.gpg.d instead " – rubo77 Oct 19 '22 at 08:42
  • 2
    @Forage: wouldn't be your solution to place the keys in /etc/apt/trusted.gpg.d/ without adding the signed-by argument be the better solution then? please add another answer here, so we can value your findings – rubo77 Oct 19 '22 at 08:46
  • 2
    @rubo77, no, using that directory is not a better solution, it's a work-around. One of the reasons, if not the main, that the keyring is deprecated in the first place is because those keys apply for all repositories. Manually imported keys should only apply to a specific repository for security reasons. Using that directory basically creates the same unsafe situation again. – Forage Oct 19 '22 at 11:47
  • NOTE: In the other answers, I added an ACTUAL answer that is easy and correct. No fumbling or even CLI needed! I can’t add it here because this is a duplicate. But I added it to all the others that show up when you search. –  Dec 08 '22 at 12:59
  • I was super annoyed by these warnings and this answer is the only thing that worked. Thanks! – astrojuanlu Mar 05 '23 at 21:02
  • Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). – crockeea Jun 29 '23 at 17:09