Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead


I was installing elasticsearch following this guide, but elasticsearch is not really the part of this question.

In the first step, I need to add the key:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

and got the following message:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

The installation process was fine, but since it’s deprecated, I’m looking for the new usage that replaces apt-key. (I have no problem installing the package.) From man apt-key I saw

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Binary keyring files intended to be used with any apt version should
therefore always be created with gpg –export.

but it didn’t say the alternative to apt-key add. I tried

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --export

but didn’t work. So what do I use after the pipe of wget when apt-key is removed?


Adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories.
This is exactly why apt-key had to be deprecated.

Short version

Do what Signal does.
If you want to use the key at https://example.com/EXAMPLE.gpg for a repository listed in /etc/apt/sources.list.d/EXAMPLE.list, use:

wget -O- https://example.com/EXAMPLE.gpg |
    gpg --dearmor |
    sudo tee /usr/share/keyrings/EXAMPLE.gpg > /dev/null

echo "deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |
    sudo tee /etc/apt/sources.list.d/EXAMPLE.list

# Optional (you can find the email address / ID using `apt-key list`)
sudo apt-key del [email protected]

Long version

While the deprecation notice recommends adding the key to /etc/apt/trusted.gpg.d, this is an insecure solution. To quote this article from Linux Uprising:

The reason for this change is that when adding an OpenPGP key that’s used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don’t have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).

The proper solution is explained in that Linux Uprising article and on the Debian Wiki: Store the key in /usr/share/keyrings/, and then reference the key in the apt source list.

Therefore, the appropriate method is as follows:

  1. Download the key from https://example.com/EXAMPLE.gpg and store it in /usr/share/keyrings/EXAMPLE.gpg.
    The Debian wiki explains that you should dearmor the key (i.e. convert it from base64 to binary) for compatibility with older software. The > /dev/null simply stops the binary key from being displayed in your terminal.

    wget -O- https://example.com/EXAMPLE.gpg |
        gpg --dearmor |
        sudo tee /usr/share/keyrings/EXAMPLE.gpg > /dev/null

    Optionally, you can verify that the file you downloaded is indeed a PGP key by running file /usr/share/keyrings/EXAMPLE.gpg and inspecting the output.

  2. Add the key to the source file that is used by the repository.
    Find the appropriate file in /etc/apt/sources.list.d/ and edit it so that it links to the keyring you just added.
    If the file doesn’t exist, you can make one.
    In the end, it should look something like this:

    deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
  3. Remove the key from apt-key, if it was added before.
    Run sudo apt-key list to list all the keys, and find the one that was previously added.
    Using the key’s email address or fingerprint, run sudo apt-key del [email protected].

Additional resources

Source: StackOverflow.com

Leave a Reply

Your email address will not be published. Required fields are marked *