22

I'm creating a package that will automatically install some repositories to all hosts in the LAN. The package will be accessible from the central repository.

I've discovered that repo lists can be dropped in '/etc/apt/sources.list.d/*.list'. Now I need to import their keys, for instance, this one. However, when I drop it into '/etc/apt/trusted.gpg.d/Opera.gpg', apt-get update gives me a plenty of NO_PUBKEY errors for all repos I have, including Opera!

What's wrong? :)

kolypto
  • 611

4 Answers4

23

Keys downloaded from repositories should be joint into a new GPG keyring so you can drop them into '/etc/apt/trusted.gpg.d/*.gpg', like this:

gpg --no-default-keyring --keyring ./Opera.gpg --import Opera.key
sudo cp Opera.gpg /etc/apt/trusted.gpg.d/Opera.gpg
Jorge Castro
  • 71,754
kolypto
  • 611
  • 4
    Doesn't work, neither with version gpg 1.4.x nor 2.1: gpg: keyblock resource './Opera.gpg': file open error and gpg: no writable keyring found: eof. To make it work, you need to do first: touch Opera.gpg – Tino Apr 15 '18 at 20:43
  • I think this answer is completely misleading or at least outdated. The current ubuntu does not support GPG keybox database file format as keyring fragment. The file generated by command suggested in this answer actually generate the keybox database instead of key file. – Wang Aug 02 '23 at 11:47
17

You can actually get the best of both worlds: create an additional keyring in /etc/apt/trusted.gpg.d/ and use apt-key instead of gpg directly.

If you already have a keyfile locally, such as Opera.key, then run the following command:

sudo apt-key --keyring /etc/apt/trusted.gpg.d/Opera.gpg add Opera.key

Of course, you can still import the key directly as MestreLion demonstrated:

wget -q -O - http://deb.opera.com/archive.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/Opera.gpg add -
Dario Seidl
  • 105
Cody A. Ray
  • 281
  • 1
    Note that specifying the keyring Opera.gpg will create the keyring in the current directory, not /etc/apt/trusted.gpg.d. Therefore make sure to either specify the full path, or to move the newly created keyring to the /etc/apt/trusted.gpg.d directory (apt version 1.2.27). – jII Jul 09 '18 at 19:17
  • For people looking to import keys from a key server, I found this command useful: apt-key --keyring /etc/apt/trusted.gpg.d/keyring-name.gpg adv --keyserver keyserver.ubuntu.com --recv GPGKEYID – Guss Jun 23 '21 at 08:56
  • apt-key is deprecated: see https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1307181#1307181 – kolypto Aug 11 '23 at 12:14
2

Additionally, you could use apt-key to add the key for you in instead of manually dropping a file to that path. Assuming you saved the file as Opera.key:

sudo apt-key add Opera.key

You could even download and import the key file on-the-fly, instead of saving it to a local file:

wget -q -O - http://deb.opera.com/archive.key | sudo apt-key add -

Apt-key manages the contents of /etc/apt/trusted.gpg main file instead of using the directory, which may be a convenience or a burden for you.

MestreLion
  • 20,086
  • apt-key is deprecated for long time already and eventually this is go away after ubuntu 22.04 – Wang Aug 02 '23 at 10:35
  • 1
    @Wang: true, but consider my answer is almost 10 years old, way before apt-key was deprecated. Currently I use apt-manage from repolib, which does the proper thing: add the key to /etc/apt/keyrings and pin it to a particular repository – MestreLion Aug 02 '23 at 13:30
-1

I think the accepted answer is completely misleading or at least outdated. The current ubuntu does not support GPG keybox database file format as keyring fragment.

If you use that answer the apt update will raise warning: W: The key(s) in the keyring /etc/apt/trusted.gpg.d/test.gpg are ignored as the file has an unsupported filetype.

The rest answers involve deprecated command apt-key which does not exist anymore in current ubuntu release.

The correct way to do this is

# cd into a dir which is 700 for yourself
gpg --no-default-keyring --keyring tmp.keyring.gpg --keyserver keyserver.ubuntu.com --recv-keys <key-id1> <key-id2>
gpg --no-default-keyring --keyring tmp.keyring.gpg --output my-keys.gpg --export
sudo cp /tmp/my-keys.gpg /etc/apt/trusted.gpg.d/

And please noticed the new apt support armoured key file so if you already have the .asc file you do NOT need to dearmor it as old ubuntu (<16.04)

Wang
  • 635
  • 1
    True, any answer suggesting apt-key, including mine, is deprecated in 2023. But so is manually adding globally-trusted keys to /etc/apt/trusted.gpg.d/, as that was the main reason for deprecating apt-key! This is better explained in this answer, and a good solution is described in this one – MestreLion Aug 02 '23 at 13:54
  • unfortunately @MestreLion your suggestion is not good. It depends on 3rd party tool apt-manage – Wang Aug 02 '23 at 15:34
  • You can always do it manually, as described in my first link. That answer, among many others, have detailed steps on how to pin a downloaded key to a specific repository. apt-manage is just a convenience. Suggesting /etc/apt/trusted.gpg.d/ is no better than using apt-key: you might not be using a deprecated tool, but you're simply manually doing the same deprecated approach. – MestreLion Aug 02 '23 at 17:05