smhk

Fixing apt-key deprecation on Debian 9 ("stretch")

Recently apt-key has been deprecated, which has meant that running apt update on my Debian 9 (“stretch”) machine started giving out warnings such as Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8). In these notes are documented how I fixed these warnings for:

Overview §

The general process is, for each application:

  • Find the key (usually on the application’s website somewhere).
  • Install the key to /usr/share/keyrings/<application>-archive-keyring.gpg. * Depending upon whether the key is ASCII, non-ASCII or a keyserver affects how we install the key.
  • Update /etc/apt/sources.list.d/<application>.list to add [signed-by=/usr/share/keyrings/<application>-archive-keyring.gpg].
  • Run apt-key del to delete the key from /etc/apt/trusted.gpg.

The process for each application is detailed below, since there are some special steps.

Dropbox §

Add to keyring §

Dropbox have a keyserver, as mentioned in their official installation guide for Linux. However, when I tried to use their suggested keyserver pgp.mit.edu I always got an error:

$ sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver pgp.mit.edu --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
gpg: keyserver receive failed: No data

This can be fixed by using the keyserver hkp://keyserver.ubuntu.com:80, which I found mentioned here:

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E

Next, open dropbox.list for editing:

sudo nano /etc/apt/sources.list.d/dropbox.list

And add [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg] after deb so it looks like:

deb [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg] https://linux.dropbox.com/debian stretch main

Remove from /etc/apt/trusted.gpg §

Now we need to remove the Dropbox key from /etc/apt/trusted.gpg. First we need to find the key:

$ apt-key list | grep dropbox --before=2
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub   rsa2048 2010-02-11 [SC]
      1C61 A265 6FB5 7B7E 4DE0  F4C1 FC91 8B33 5044 912E
uid           [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>

Take the last 8 characters of the key (i.e. 1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E5044912E) and then delete it:

$ sudo apt-key del 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Sublime Text §

Add to keyring §

Sublime Text provides an ASCII key, so we can add it with:

curl https://download.sublimetext.com/sublimehq-pub.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sublime-text-archive-keyring.gpg

Now we open sublime-text.list for editing:

sudo nano /etc/apt/sources.list.d/sublime-text.list

And add the signed-by section:

deb [signed-by=/usr/share/keyrings/sublime-text-archive-keyring.gpg] https://download.sublimetext.com/ apt/stable/

Remove from /etc/apt/trusted.gpg §

Find the key in apt-key list:

$ apt-key list | grep sublime --before=2
pub   rsa4096 2017-05-08 [SCEA]
      1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
uid           [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>

Remove the key:

$ sudo apt-key del 8A8F901A
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Enpass §

Add to keyring §

The official Linux install instructions are for apt-key, which is deprecated. However, from it we can see they provide an ASCII key. So we can install it with:

curl https://dl.sinew.in/keys/enpass-linux.key | gpg --dearmor | sudo tee /usr/share/keyrings/enpass-archive-keyring.gpg

Open enpass.list for editing:

sudo nano /etc/apt/sources.list.d/enpass.list

And add the signed-by section:

deb [signed-by=/usr/share/keyrings/enpass-archive-keyring.gpg] http://repo.sinew.in/ stable main

Remove from /etc/apt/trusted.gpg §

Find the key in apt-key list:

$ apt-key list | grep enpass --before=2
pub   rsa2048 2015-05-02 [SC]
      B6DA 722E 2E65 721A F54B  9396 6F75 6587 9798 C2FC
uid           [ unknown] Enpass Packaging Team <package@enpass.io>

Remove the key:

$ sudo apt-key del 9798C2FC
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

NodeJS (Node Source) §

Add to keyring §

Node Source does seem to have the most up-to-date instructions, though they omit -archive-keyring.gpg from the keyring name. For consistency I prefer to use the same format as all the previous applications, so adjusted their instructions to:

curl https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource-archive-keyring.gpg

Open nodesource.list for editing:

sudo nano /etc/apt/sources.list.d/nodesource.list

And add the signed-by section to both lines:

deb [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main
deb-src [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main

Remove from /etc/apt/trusted.gpg §

Find the key in apt-key list:

$ apt-key list | grep nodesource --before=2
pub   rsa4096 2014-06-13 [SC]
      9FD3 B784 BC1C 6FC3 1A8A  0A1C 1655 A0AB 6857 6280
uid           [ unknown] NodeSource <gpg@nodesource.com>

Remove the key:

$ sudo apt-key del 68576280
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Conclusion §

That’s it! Now you can run apt update and there will be no more deprecation warnings for these applications.

Appendix §

Full apt update warning prior to fix §

$ sudo apt update
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:2 http://repo.sinew.in stable InRelease
Ign:3 http://ftp.us.debian.org/debian stretch InRelease
Hit:4 https://deb.nodesource.com/node_10.x stretch InRelease
Hit:5 http://ftp.us.debian.org/debian stretch-updates InRelease
Ign:6 http://linux.dropbox.com/debian stretch InRelease
Hit:7 http://ftp.us.debian.org/debian testing InRelease
Hit:8 http://ftp.us.debian.org/debian stretch Release
Get:9 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [759 kB]
Ign:10 http://httpredir.debian.org/debian stretch InRelease
Hit:11 https://download.sublimetext.com apt/stable/ InRelease
Hit:12 http://linux.dropbox.com/debian stretch Release
Hit:13 http://httpredir.debian.org/debian stretch Release
Fetched 812 kB in 2s (434 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://repo.sinew.in/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://deb.nodesource.com/node_10.x/dists/stretch/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/debian/dists/stretch/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

References §