4

After updating from 20.04 to 22.04, I stumbled upon the "apt-key deprecation". Thus, I've just followed this excellent answer about how to fix it. However, I've still not clearly understood which keys should be in my /etc/apt/trusted.gpg.d/ folder. Any reference?

muratore
  • 93
  • Maybe none? So far, I have Ubuntu CD Image Automatic Signing Key (2012) and Ubuntu Archive Automatic Signing Key (2018)... Should they stay there? – muratore Apr 23 '22 at 23:31
  • 3
    Yep. Those two should stay there. These are the defaults that ship with the OS. – matigo Apr 23 '22 at 23:39
  • The answer you are linking to is actually about keeping out keys from /etc/ap/trusted.gpg.d., so you may want to reread it carefully first. – vanadium Apr 24 '22 at 07:30
  • @vanadium, you say we have to remove all the keys from that folder? – muratore Apr 24 '22 at 14:11
  • That is what is being deprecated according to the answer you link to. So it is a contradiction wanting to put keys there based on an article that says keys should not be there. – vanadium Apr 25 '22 at 06:18

1 Answers1

2

According to the answer you listed, none of your keys should be included in /etc/apt/trusted.gpg.d/ to get rid of crossigning, i.e., the ability to sign a package from a (potentially maliceous) source with the key of another source.

According to the answer you listed, the approach is to move all keys that are there to another location, then refer to them in the /etc/apt/sources.list file. When the newer, multiline Deb822 format is used, there is no need to maintain the keys into different files. They can directly be embedded in the /etc/apt/sources.list.

As a desktop user, I would not be inclined to start managing this myself. The evolution is ongoing, and gradually, distribution developers will integrate more safe approach in the graphical tools to manage PPA's.

vanadium
  • 88,010