With Ubuntu 22.04 and beyond, apt-key has been deprecated and will eventually be removed.
This creates deprecation messages, so to solve this and attempt to improve security, I followed the following topics:
What commands (exactly) should replace the deprecated apt-key?
Key is stored in legacy trusted.gpg keyring after Ubuntu 22.04 update [duplicate]
I exported almost all keys from /etc/apt/trusted.gpg to a directory /usr/share/keyrings following the information in this answer:
This answer is a customization of the one provided by matigo user here. You need to export the GPG key from the deprecated keyring and store it in
/usr/share/keyringsfor every repo.
This led to exporting many keys from the deprecated keyring into the /usr/share/keyrings directory created by me.
For each exported key, I also created/updated its associated three .list files, with the list files being stored in /etc/apt/sources.list.d.
After that I deleted the keys I exported:
sudo apt-key del LAST_8_KEY_DIGITS
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
While apt-key throws this recommendation of using the /etc/apt/trusted.gpg.d directory, from what I read in this thread answer it should be avoided as well:
All of the answers so far work around the symptom ("Don't use
apt-key add") but fail to address the actual problem that led to apt-key add being deprecated. The problem is not a question of appending a key to one big keyring fileetc/apt/trusted.gpgvs manually putting single-key keyring files into the directory/etc/apt/trusted.gpg.d/. These two things are equivalent, and doing either one is a huge security risk.Now that you have your converted key, do not add it to
apt's trusted keystore by copying it into/etc/apt/trusted.gpg.d/. Instead, put it somewhere like/etc/apt/keyrings/. (You might need to create that keyrings directory first.) There's nothing special about that location, it's just a convention recommended byman 5 sources.listin Ubuntu 22.04 and a related Debian Wiki entry.
So after following those threads and implementing the suggestions, I now have:
- Repository
.listfiles in/etc/apt/sources.list.d. - The actual GPG keys in
/usr/share/keyrings.
I am able to run apt update and it correctly hits all the third-party repositories I exported from the deprecated file of apt-key.
The question is, is it possible to edit the "Software & Updates" program of Ubuntu (software-properties-gtk) to show the GPG keys again?
Not having them in the /etc/apt/trusted.gpg.d/ directory or the /etc/apt/trusted.gpg file is better for security from what I understand, but now software-properties-gtk cannot list repositories.
In this process of deprecating apt-key and improving security, is it possible to point software-properties-gtk to /etc/apt/sources.list.d and /usr/share/keyrings for it to show me the repositories in the "Other Software" tab of the "Software & Updates" GUI?
Grateful for any insight!
