115

I just upgraded from Ubuntu 21.10 to 22.04.

sudo apt update ends with the following warnings...

W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://apt.keepsolid.com/ubuntu/dists/groovy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.virtualbox.org/virtualbox/debian/dists/hirsute/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.opensuse.org/repositories/home:/IBBoard:/cawbird/xUbuntu_22.04/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/solaar-unifying/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/yannubuntu/boot-repair/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Synaptic shows the same warnings on a reload.

Reviewing man apt-key doesn't clarify this for me.

I think this is because Ubuntu 22.04 has transitioned from using /etc/apt/trusted.gpg to using individual .gpg files located in /etc/apt/trusted.gpg.d.

Can these keys be converted from one to the other, or must I delete these keys and reimport them?

heynnema
  • 70,711

6 Answers6

184

The easy way to fix these warning messages generated by sudo apt update...

W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://apt.keepsolid.com/ubuntu/dists/groovy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.virtualbox.org/virtualbox/debian/dists/hirsute/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.opensuse.org/repositories/home:/IBBoard:/cawbird/xUbuntu_22.04/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/solaar-unifying/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/yannubuntu/boot-repair/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Note: These warning messages can be generated by any enabled repo or ppa in Software & Updates "Other Software" tab.

Example fix:

For this warning message with sudo apt update...

W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

We look in sudo apt-key list and find this entry for xbmc...

pub   rsa1024 2009-01-20 [SC]
      1897 01DA 570C 56B9 488E  F60A 6D97 5C47 91E7 EE5E
uid           [ unknown] Launchpad PPA for XBMC for Linux

Then we convert this entry to a .gpg file, using the last 8 numeric characters from above...

sudo apt-key export 91E7EE5E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/team-xbmc.gpg

Optionally you can remove the deprecated key from /etc/apt/trusted.gpg by running:

sudo apt-key --keyring /etc/apt/trusted.gpg del 91E7EE5E

Repeat the above commands for each warning message generated by sudo apt update.

Note: Partially taken from the accepted answers here and here.

Ivan Gabriele
  • 717
  • 1
  • 9
  • 18
heynnema
  • 70,711
  • 4
    That's the answer i was looking for. Thanks! – YourHelper May 25 '22 at 18:32
  • Awesome. This worked for me. Is there any reason to delete the key from the legacy system? – lindhe Jun 28 '22 at 08:47
  • @lindhe That's optional. I haven't on my system. No problem. – heynnema Jun 28 '22 at 12:58
  • 1
    I tried different way to achieve this, and this is the easier way. I got a warning (Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).), but the .gpg file was created. – apaderno Jul 08 '22 at 08:48
  • Can you use the apt-key list to generate a gpg file without knowing the apt error? Your example above uses team-xbmc but the key list does not have the name stored. Is there a way to do this without knowing the apt error? I want to eliminate the warning before it occurs. – DontAsk Aug 06 '22 at 16:55
  • @JimTippins Yes you can... however... the "apt-key list" may generate a much longer list than you really need to worry about. Observing any warning errors from "sudo apt update" would save you a lot of time. – heynnema Aug 06 '22 at 18:05
  • Why so manual? Let’s fully automate this! (Also, why is this not automatically handled? E.g. a drop-in for apt-key, or whatever…) EDIT: @JDMcMillian below automated it. Yay! –  Aug 11 '22 at 16:00
  • 1
    @Evi1M4chine The problem with the automated way (besides the fact that it uses a ~50 character bash script from an unknown author) is that it exports ALL of the entries in trusted.gpg, and many aren't needed. My way only exports the NEEDED entries. – heynnema Aug 11 '22 at 16:45
  • @heynnema: Your way exports nothing at all though. ^^ The user has to do that. Which kinda misses the whole point of having a computer. ^^ … I agree that only the required should be exported. But then again there shouldn’t be any other ones in there in the first place, should there? And if there are, well, a filter should be added to the script. … And also, you don’t exactly know who wrote the rest of the code executed on your system either. Obviously one is expected to read and understand the script before executing it. Which is why I edited the answer to make it readable. :) –  Aug 13 '22 at 11:25
  • 2
    @heynnema: Btw, the exact reason I was looking for a script was, because your way made it extremely cumbersome to find which ones were actually needed. So while your intention was undoubtedly good, one ended up writing a loop to do it to all of them anyway. ^^ –  Aug 13 '22 at 11:27
  • @Evi1M4chine re: "because your way made it extremely cumbersome to find which ones were actually needed"... a sudo apt update is all that's required to see which entries need conversion. – heynnema Aug 13 '22 at 12:21
  • @heynnema: No it isn’t, since your method demands manually finding which key is related to which warning, and doesn’t say how to do that. When the warning normally does not even include any strings that can even be found in apt-key list. … Your example got very lucky by having the XBMC in lowercase in that URL, and in uppercase in the key description. This can not be generalized, as one has no clue which part of the URL might match which part of the key description, and there is not necessarily any match at all. –  Aug 17 '22 at 22:43
  • 1
    If you get a Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). gpg: WARNING: nothing exported gpg: no valid OpenPGP data found. error is because the hash needs to be written in a single bloc. – David Beauchemin Sep 22 '22 at 16:15
  • @heynnema Thank you for the answer! How would you deal with W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease Key is stored in legacy ...? – Filbuntu Nov 08 '23 at 08:48
  • @Filbuntu Try this simple fix first... go to the Software & Updates app, Ubuntu Software tab, note which Download Server is selected, select any other country server, then do a sudo apt update, then change the server (back) to the server for your country, and do sudo apt update again. See if that fixes the problem. – heynnema Nov 08 '23 at 14:04
  • @Filbuntu I didn't tell you to uncheck all sources. That defeated the attempted fix. Check all sources, change download server to some other country, sudo apt update, change download server to your country, sudo apt update. – heynnema Nov 08 '23 at 18:35
  • @heynnema Wow, you are quick. Sorry that I shorten what I did. I did what you wrote several times WITHOUT unchecking all sources. I tried different servers around the world and switch back to my country again. As this did not work some days ago, I tried with unchecked sources (and server change) and restart - this did not fix the problem, either. Today I tried your recommendation again but still not helping the problem. It is a pity as it would have been a nice and easy fix. – Filbuntu Nov 08 '23 at 18:50
  • @Filbuntu Then try this. Open Software & Updates, Authentication tab. See if you find an entry for "Ubuntu Archive". On my system, it shows the key ending in C0B21F32 (yours may be different). Use the last 8 numbers to create a new gpg key as per the instructions. Then do sudo apt update and see if the error is gone. – heynnema Nov 09 '23 at 03:22
  • @Filbuntu Show me ls -al /etc/apt/trusted.gpg.d/ubuntu-keyring*, and sudo apt-key list | grep -i "Ubuntu Archive" -B5. Put each command output into separate comments. – heynnema Nov 09 '23 at 14:16
  • 1
    Let us continue this discussion in chat. – heynnema Nov 09 '23 at 15:22
131

Came across this problem after moving to Ubuntu 22.04 and wanted to add my solution. I had a lot of keys that needed to be updated/converted. This is not an optimal solution, but works well.

This solution is specific to Ubuntu 22.04, with bash 5.2.16. Other distributions and versions may not work.

A one-liner to convert all those deprecated keys to the new format.

PLEASE TAKE THE TIME TO UNDERSTAND WHAT YOU’RE DOING HERE BEFORE RUNNING IT!! Also make sure your bash is not too old. My bash version: GNU bash, version 5.1.16(1)-release (x86_64-pc-linux-gnu)

for KEY in $(apt-key --keyring /etc/apt/trusted.gpg list | grep -E "(([ ]{1,2}(([0-9A-F]{4}))){10})" | tr -d " " | grep -E "([0-9A-F]){8}\b" ); do K=${KEY:(-8)}; apt-key export $K | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/imported-from-trusted-gpg-$K.gpg; done

And for those that want something more readable....

for KEY in $( \
    apt-key --keyring /etc/apt/trusted.gpg list \
    | grep -E "(([ ]{1,2}(([0-9A-F]{4}))){10})" \
    | tr -d " " \
    | grep -E "([0-9A-F]){8}\b" \
); do
    K=${KEY:(-8)}
    apt-key export $K \
    | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/imported-from-trusted-gpg-$K.gpg
done

Explanation:

  1. Retrieve the list of known keys:

    apt-key list

  2. Find all groupings of hexadecimal characters that have 1 or 2 spaces in front of them, and are 4 characters long. Get the collection of those that have 10 groupings per line. This provides the full key signature.

    grep -E "(([ ]{1,2}(([0-9A-F]{4}))){10})"

  3. Trim away (delete) all spaces on each line found, so that key signature is unbroken by white space:

    tr -d " "

  4. Grab the last 8 characters of each line:

    grep -E "([0-9A-F]){8}\b"

    Now we have a collection of key suffixes, each 8 characters in length.

  5. Cycle through each key suffix, placing the current suffix in the KEY variable:

    for KEY in $(…); do

  6. Assign the last 8 characters to the variable K:

    K=${KEY:(-8)};

  7. Export the key that matches the signature in K and pass/pipe it to gpg to properly store it:

    apt-key export $K | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/imported-from-trusted-gpg-$K.gpg

  8. Loop until all keys are processed.

    done

  9. Enjoy no more deprecation warnings.

Special thanks to heynnema whose solution is at the core of this.

nickspoon
  • 103
JDMcMillian
  • 1,482
  • 7
    Not sure why this doesn't have more upvotes... It works like a charm. – dentex Aug 07 '22 at 19:03
  • THIS is how to do this! –  Aug 11 '22 at 16:05
  • 1
    Note that the “not optimal” part probably refers to this ”polluting” the key new directory with these keys, which stay there even if they are replaced (leading to duplicates) or even revoked (e.g. due to being compromised). So once every ppa has caught up, this needs to be cleaned up again! (rm -f /etc/apt/trusted.gpg.d/imported-from-trusted-gpg-*.gpg) –  Aug 11 '22 at 16:28
  • Simply amazing! Thanks! – TheodorosPloumis Sep 08 '22 at 15:43
  • Doesn't work for me on Mint 21. My Update Manager error message was W:https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy... After copying the bash script as given above into upd.sh, and running it, I get the warning message Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)) followed by ./upd.sh: 7: Bad substitution – FumbleFingers Sep 15 '22 at 13:40
  • The command listed above is not a shell script. it's a single command on the command line. The '' characters at the end of each line were added by karel to make it easier to read, but you can copy/paste the entire blub into a command line prompt. Having said that, I had over 20 to convert when I wrote this command. If you have only 1 or 2 keys to transform, I recommend following heynnema's original (accepted) solution to understand better. A script or even a large (albeit; a single line) command should never replace your understanding on any linux based system. – JDMcMillian Sep 16 '22 at 23:20
  • @JDMcMillian thanks for the great explanation of the steps you used here. – JJGabe Oct 21 '22 at 15:33
  • 1
    I confirm functionality also on Linux Mint 21 (bash version 5.1.16(1)). Thank you, good job. – Martin Osusky Dec 11 '22 at 12:20
29

What worked for me was:

mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/
mykahveli
  • 391
  • 1
    This worked for me as well. Plus, I had difficulties with the chosen answer as it was so complex but doing this one worked and was easy. I'm on Linux Mint (Vanessa) – Barra Aug 09 '22 at 16:27
  • This didn't resolve the issue in Mint vanessa, I had to go to the sources list and remove the problem ones – Alkanshel Aug 10 '22 at 00:56
  • This worked for me on Mint21. I laboriously followed the complicated instructions of the top-rated answer, but was eventually stymied by some kind of "syntax error" (to do with the teamviewer key being differently structured/stored, I think). To be on the safe side I did a full system backup with fsarchiver before running the single-line solution given here. But everything looks fine after rebooting, TY – FumbleFingers Sep 15 '22 at 13:55
  • Worked on Mint 21 :-) – c05772 Oct 27 '22 at 21:54
  • 2
    How about softlinking it instead of moving it, for added compatibility? –  Nov 24 '22 at 13:18
  • I think @Evi1M4chine had the right idea, to create a soft symlink in case something gets clobbered in the future. This worked great on Linux Mint Vanessa. For reference, the problem occurred when my spouse's wifi dropped while he was doing an update. I first tried the "export" solution outlined by heynnema, which gave me a warning that apt-key was deprecated and didn't seem to make a difference. So I scrolled farther down to see these suggestions. Thank you. – Criminally Inane Nov 27 '22 at 21:31
  • This worked for me on Ubuntu 22.04.3, too. But by adding the sudo privilege. – Reza K Ghazi Sep 24 '23 at 23:38
8

I modified the @Frank's function to remove the key from the legacy trusted.gpg to avoid duplication.

function apt-key-migrate {
    typeset key="$1"
    typeset dest="$2"

if [ -z "$key" ] || [ -z "$dest" ];
then
    echo "Usage: apt-key-migrate <key> <destination>"
    return 1
fi

sudo apt-key --keyring /etc/apt/trusted.gpg export $key | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/$dest.gpg
test -s "/etc/apt/trusted.gpg.d/$dest.gpg" && sudo apt-key --keyring /etc/apt/trusted.gpg del $key



}
CAAHS
  • 141
brvoisin
  • 81
6

I've turned @heynnema's answer into a function, which you can place under .bashrc for convenience. This takes two arguments: the key (last 8 characters) and the destination filename for the output GPG file.

function apt-key-migrate {
  typeset key="$1"
  typeset dest="$2"

if [ -z "$key" ] || [ -z "$dest" ];
  then
    echo "Usage: apt-key-migrate <key> <destination>"
    return 1
  fi


sudo apt-key export $key | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/$dest.gpg
}

Example: apt-key-migrate 91E7EE5E team-xbmc

Francis Fajardo
  • 61
2

apt-key is deprecated and shall be replaced on the long run on Ubuntu 22.04.

When you need it, you may delete existing key with:

apt-key list

and

apt-key del YOUR-KEY

Import your key with command like:

curl https://yourrepo.com/repo.key | gpg --dearmor | sudo dd of=/usr/local/share/keyrings/your-repo.gpg

Add the signature to /etc/apt/sources.list.d/your.list

deb [signed-by=/usr/local/share/keyrings/your-repo.gpg]  https://yourepo./ubuntu jammy main

More details on the manual:
link

Good details here as well: link

frank_108
  • 281
  • 1
  • 2
  • 6