Recent versions of Debian and Ubuntu have moved away from the apt-key command for importing GPG signing keys, a shift initiated with Debian 11 and Ubuntu 22.04. This command was previously used for adding GPG keys to the system but now generates a warning: “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).” While apt-key can still be used, future releases plan to eliminate its support entirely.
This guide focuses on a secure alternative for importing GPG repository signing keys into systems like Ubuntu, Debian, Linux Mint, and Pop!_OS using the signed-by method.
Importing GPG Keys Without apt-key
To import OpenPGP keys, you can either use the wget or curl command to download the key, then dearmor it and save it on your system. For instance, to add the Webmin PPA GPG key, you can use:
- Using wget command:
wget -O- https://download.webmin.com/jcameron-key.asc | sudo gpg --dearmor | sudo tee /usr/share/keyrings/jcameron-key.gpg > /dev/null 2>&1
- Using curl command:
curl https://download.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee /usr/share/keyrings/jcameron-key.gpg > /dev/null 2>&1
These commands will generate a /usr/share/keyrings/jcameron-key.gpg file on your system, indicating the GPG key has been successfully imported.
Configuring a GPG Key on Debian
After importing the key, you need to link it to the repository. This involves editing the repository’s PPA file and adding the signed-by parameter to reference the newly created key file. For the Webmin PPA, modify the file at /etc/apt/sources.list.d/webmin.list
to include:
deb [signed-by=/usr/share/keyrings/jcameron-key.gpg] https://download.webmin.com/download/repository sarge contrib
After saving and closing the file, the PPA is properly configured with the GPG key.
Conclusion
By following these steps, you’ve successfully integrated a new PPA with a GPG key into your system, adopting the newer, more secure method recommended for Debian and Ubuntu systems. Although currently optional, this practice is slated to become mandatory in future releases, underscoring the importance of familiarizing oneself with this method for system security enhancements.
1 Comment
Finally, something that makes adding a pubkey to apt sound simple. But I stumble at the first step. How do you find a repository’s public key file?????