With the latest version of Ubuntu 22.04 and Debian 11, users start getting a warning message during the GPG key import that “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“. The apt-key stores the key file in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d. In that case, a single key is also trusted for other repositories configured on your system. That creates security issues for the repositories on your systems. To overcome this issue, Ubuntu 22.04 and Debian 11 prompted to manage OpenPGP as keyring files.
Even if this is a warning message, you can continue to use apt-key, but it will be removed in the next releases. So it will be a good idea to start using the new way.
Problem:
As of today, we use the following command to add a GPG key to our system. It was working fine. While running the same command on Ubuntu 22.04, I got a warning message:
curl https://download.webmin.com/jcameron-key.asc | sudo apt-key add -
You should see the following output:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK
Solution:
Here is the new way of adding GPG keys to the system and avoiding the above warning.
- The following command will download a remote GPG key, encrypt it and save it under the
/usr/share/keyringsdirectory.wget https://download.webmin.com/jcameron-key.asccat jcameron-key.asc | gpg --dearmor >/usr/share/keyrings/jcameron-key.gpgYou can also merge the above two commands to a single command like:
curl https://download.webmin.com/jcameron-key.asc | gpg --dearmor >/usr/share/keyrings/jcameron-key.gpg - Next is to edit the repository configuration file (For eg: /etc/apt/sources.list.d/webmin.list) with a signed-by tag. That will define the gpg key stored in keyrings for your repository.
deb [signed-by=/usr/share/keyrings/jcameron-key.gpg] https://download.webmin.com/download/repository sarge contrib
You can see that the above repository configuration file referenced the GPG file ([signed-by=/usr/share/keyrings/jcameron-key.gpg]) stored in keyrings. That will restrict the packages to verify with this file only.
Conclusion
To enhance the security of your system, the latest Ubuntu system prefers to store GPG keys under keyrings. Also defined the key in the repository configuration to avoid the use of other keys.