Recently apt-key
has been deprecated, which has meant that running apt update
on my Debian 9 (“stretch”) machine started giving out warnings such as Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8)
. In these notes are documented how I fixed these warnings for:
Overview § The general process is, for each application:
Find the key (usually on the application’s website somewhere). Install the key to /usr/share/keyrings/<application>-archive-keyring.gpg
.
* Depending upon whether the key is ASCII, non-ASCII or a keyserver affects how we install the key. Update /etc/apt/sources.list.d/<application>.list
to add [signed-by=/usr/share/keyrings/<application>-archive-keyring.gpg]
. Run apt-key del
to delete the key from /etc/apt/trusted.gpg
. The process for each application is detailed below, since there are some special steps.
Dropbox § Add to keyring § Dropbox have a keyserver, as mentioned in their official installation guide for Linux . However, when I tried to use their suggested keyserver pgp.mit.edu
I always got an error:
$ sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver pgp.mit.edu --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
gpg: keyserver receive failed: No data
This can be fixed by using the keyserver hkp://keyserver.ubuntu.com:80
, which I found mentioned here :
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
Next, open dropbox.list
for editing:
sudo nano /etc/apt/sources.list.d/dropbox.list
And add [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg]
after deb
so it looks like:
deb [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg] https://linux.dropbox.com/debian stretch main
Remove from /etc/apt/trusted.gpg
§ Now we need to remove the Dropbox key from /etc/apt/trusted.gpg
. First we need to find the key:
$ apt-key list | grep dropbox --before= 2
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub rsa2048 2010-02-11 [SC]
1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E
uid [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>
Take the last 8 characters of the key (i.e. 1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E
→ 5044912E
) and then delete it:
$ sudo apt-key del 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Sublime Text § Add to keyring § Sublime Text provides an ASCII key , so we can add it with:
curl https://download.sublimetext.com/sublimehq-pub.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sublime-text-archive-keyring.gpg
Now we open sublime-text.list
for editing:
sudo nano /etc/apt/sources.list.d/sublime-text.list
And add the signed-by
section:
deb [signed-by=/usr/share/keyrings/sublime-text-archive-keyring.gpg] https://download.sublimetext.com/ apt/stable/
Remove from /etc/apt/trusted.gpg
§ Find the key in apt-key list
:
$ apt-key list | grep sublime --before= 2
pub rsa4096 2017-05-08 [SCEA]
1EDD E2CD FC02 5D17 F6DA 9EC0 ADAE 6AD2 8A8F 901A
uid [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
Remove the key:
$ sudo apt-key del 8A8F901A
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Enpass § Add to keyring § The official Linux install instructions are for apt-key
, which is deprecated. However, from it we can see they provide an ASCII key . So we can install it with:
curl https://dl.sinew.in/keys/enpass-linux.key | gpg --dearmor | sudo tee /usr/share/keyrings/enpass-archive-keyring.gpg
Open enpass.list
for editing:
sudo nano /etc/apt/sources.list.d/enpass.list
And add the signed-by
section:
deb [signed-by=/usr/share/keyrings/enpass-archive-keyring.gpg] http://repo.sinew.in/ stable main
Remove from /etc/apt/trusted.gpg
§ Find the key in apt-key list
:
$ apt-key list | grep enpass --before= 2
pub rsa2048 2015-05-02 [SC]
B6DA 722E 2E65 721A F54B 9396 6F75 6587 9798 C2FC
uid [ unknown] Enpass Packaging Team <package@enpass.io>
Remove the key:
$ sudo apt-key del 9798C2FC
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
NodeJS (Node Source) § Add to keyring § Node Source does seem to have the most up-to-date instructions , though they omit -archive-keyring.gpg
from the keyring name. For consistency I prefer to use the same format as all the previous applications, so adjusted their instructions to:
curl https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource-archive-keyring.gpg
Open nodesource.list
for editing:
sudo nano /etc/apt/sources.list.d/nodesource.list
And add the signed-by
section to both lines:
deb [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main
deb-src [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main
Remove from /etc/apt/trusted.gpg
§ Find the key in apt-key list
:
$ apt-key list | grep nodesource --before= 2
pub rsa4096 2014-06-13 [SC]
9FD3 B784 BC1C 6FC3 1A8A 0A1C 1655 A0AB 6857 6280
uid [ unknown] NodeSource <gpg@nodesource.com>
Remove the key:
$ sudo apt-key del 68576280
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Conclusion § That’s it! Now you can run apt update
and there will be no more deprecation warnings for these applications.
Appendix § Full apt update
warning prior to fix §
$ sudo apt update
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:2 http://repo.sinew.in stable InRelease
Ign:3 http://ftp.us.debian.org/debian stretch InRelease
Hit:4 https://deb.nodesource.com/node_10.x stretch InRelease
Hit:5 http://ftp.us.debian.org/debian stretch-updates InRelease
Ign:6 http://linux.dropbox.com/debian stretch InRelease
Hit:7 http://ftp.us.debian.org/debian testing InRelease
Hit:8 http://ftp.us.debian.org/debian stretch Release
Get:9 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [759 kB]
Ign:10 http://httpredir.debian.org/debian stretch InRelease
Hit:11 https://download.sublimetext.com apt/stable/ InRelease
Hit:12 http://linux.dropbox.com/debian stretch Release
Hit:13 http://httpredir.debian.org/debian stretch Release
Fetched 812 kB in 2s (434 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://repo.sinew.in/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://deb.nodesource.com/node_10.x/dists/stretch/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/debian/dists/stretch/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
References §