With the latest version of Ubuntu 22.04 and Debian 11, users start getting a warning message during the GPG key import that “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“. The apt-key stores the key file in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d. In that case, a single key is also trusted for other repositories configured on your system. That creates security issues for the repositories on your systems. To overcome this issue, Ubuntu 22.04 and Debian 11 prompted to manage OpenPGP as keyring files.
Even if this is a warning message, you can continue to use apt-key, but it will be removed in the next releases. So it will be a good idea to start using the new way.
Problem:
As of today, we use the following command to add a GPG key to our system. It was working fine. While running the same command on Ubuntu 22.04, I got a warning message:
curl https://download.webmin.com/jcameron-key.asc | sudo apt-key add -
You should see the following output:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK
Solution:
Here is the new way of adding GPG keys to the system and avoiding the above warning.
- Import GPG Key
You can choose any one of the below optins to import GPG key system keyrings.
- Method 1: The following command will download a remote GPG key, encrypt it and save it under the
/usr/share/keyringsdirectory.wget -nc https://download.webmin.com/jcameron-key.asccat jcameron-key.asc | gpg --dearmor | sudo tee /usr/share/keyrings/jcameron-key.gpg > /dev/null 2>&1 - Method 2: We can also use the install command that is used by the operating system to install files to filesystem.
wget -nc https://download.webmin.com/jcameron-key.asccat jcameron-key.asc| gpg --dearmor > jcameron-key.gpgsudo install -o root -g root -m 644 jcameron-key.gpg /usr/share/keyrings/ - Method 3: Instead of using multiple commands, you can merge them and use a single line command like:
curl https://download.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee /usr/share/keyrings/jcameron-key.gpg > /dev/null 2>&1 - Update PPA
Next is to edit the repository configuration file (For eg: /etc/apt/sources.list.d/webmin.list) with a signed-by tag. That will define the gpg key stored in keyrings for your repository.
deb [signed-by=/usr/share/keyrings/jcameron-key.gpg] https://download.webmin.com/download/repository sarge contrib
You can see that the above repository configuration file referenced the GPG file ([signed-by=/usr/share/keyrings/jcameron-key.gpg]) stored in keyrings. That will restrict the packages to verify with this file only.
Now, you can update the cache with “apt update” and continue with the package installation.
Important Note: If you are still getting the error “Key is stored in legacy trusted.gpg keyring“. Then you may already have the key stored under trusted.gpg keyring. To solve this visit: https://tecadmin.net/resolved-key-is-stored-in-legacy-trusted-gpg-keyring/
Conclusion
To enhance the security of your system, the latest Ubuntu system prefers to store GPG keys under keyrings. Also defined the key in the repository configuration to avoid the use of other keys.
3 Comments
I don’t have webmin installed should I get it?
Webmin is just for example only.
Getting this error
zsh: permission denied: /usr/share/keyrings/jcameron-key.gpg