The command apt-key is used for the management of keys that are used by apt to authenticate packages being downloaded and installed on Debian based Linux systems. All the packages which have been authenticated from local keys will be considered trusted and can be installed on the system. From official Debian and Ubuntu updates, the apt-key utility will last be available in Debian 11 and Ubuntu 22.04. If you try using apt-key command on either of these Linux distributions, you’ll get a warning message:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).The commonly used apt-key command options are:
- add filename – This command option is used for adding a new key to the list of trusted keys. The key is read from the filename given.
- list – Option used to list trusted keys on the system with fingerprints
- update – Update the local keyring with the archive keyring and remove from the local keyring the archive keys which are no longer valid
- adv – Useful when you need to pass advanced options to gpg. With
adv --recv-keyyou can download key from keyservers directly into the trusted set of keys.
In this example we list trusted keys on our system:
$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc
------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8
uid [ unknown] Debian Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.asc
---------------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
05AB 9034 0C0C 5E79 7F44 A8C8 254C F3B5 AEC0 A8F0
uid [ unknown] Debian Security Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
---------------------------------------------------------
pub ed25519 2023-01-23 [SC] [expires: 2031-01-21]
4D64 FEC1 19C2 0290 67D6 E791 F8D2 585B 8783 D481
uid [ unknown] Debian Stable Release Key (12/bookworm) <[email protected]>
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.asc
------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
1F89 983E 0081 FDE0 18F3 CC96 73A4 F27B 8DD4 7936
uid [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub rsa4096 2021-01-17 [S] [expires: 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.asc
---------------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
AC53 0D52 0F2F 3269 F5E9 8313 A484 4904 4AAD 5C5D
uid [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub rsa4096 2021-01-17 [S] [expires: 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.asc
---------------------------------------------------------
pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793
uid [ unknown] Debian Stable Release Key (11/bullseye) <[email protected]>
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.asc
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ unknown] Debian Archive Automatic Signing Key (10/buster) <[email protected]>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.asc
-------------------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
uid [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.asc
-------------------------------------------------------
pub rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
uid [ unknown] Debian Stable Release Key (10/buster) <[email protected]>We can demonstrate this warning with Wine APT repo key on Debian / Ubuntu system. Let’s first install required dependencies for this operation:
sudo apt update
sudo apt install gnupg2 wget ca-certificatesConfirm apt-key command is usable on your system.
$ which apt-key
/usr/bin/apt-keyLet’s download the APT key using wget command.
wget -nc https://dl.winehq.org/wine-builds/winehq.keyTry key importation to trusted list using add option while passing the name of the file that contains the key.
$ sudo apt-key add winehq.key
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OKFix “Waning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead”
The solution to this warning is using gpg which is an OpenPGP encryption and signing tool to write the keys to /etc/apt/trusted.gpg.d/ directory.
Install useful tools for the management of keys and repositories on a Debian based Linux system.
sudo apt update
sudo apt install gnupg2 wget ca-certificates lsb-release software-properties-commonWorking with ASCII armored keys
The ASCII armored keys looks like text while the unarmored (binary) data looks like garbage to a person who uses inappropriate tools like cat or a text editor to read the keys content. In this section we show an example on adding ASCII armored keys to your Debian / Ubuntu system.
Download an example key to be used. In this scenario we’re using winehq.key:
wget -nc https://dl.winehq.org/wine-builds/winehq.keyYou can now add the key to trusted list with the commands below:
cat winehq.key | gpg --dearmor > winehq.gpg
sudo install -o root -g root -m 644 winehq.gpg /etc/apt/trusted.gpg.d/Alternatively, run single command below which performs the same purpose.
cat winehq.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/winehq.gpg >/dev/nullThe --dearmor option is for unpacking the input from an OpenPGP ASCII armor. You can also write the keys to /usr/share/keyrings/ directory.
The resulting stored key is in binary format. Below is a one line command to download and unpack
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/nullWe’ll add WineHQ APT repository to confirm the key we just added works. The base system used in this example is Debian 12 (Bookworm)
sudo add-apt-repository 'deb https://dl.winehq.org/wine-builds/debian/ bookworm main'Watch out for any errors when running apt update. If everything is done right, it should work okay.
$ sudo apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 https://dl.winehq.org/wine-builds/debian bookworm InRelease
Hit:4 http://deb.debian.org/debian bookworm-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.Working with non ASCII armor OpenPGP keys
For this type of keys you can download and write them directly to secure trusted keys directory.
wget https://example.com/key/repo-key.gpg
sudo mv repo-key.gpg /usr/share/keyrings/reponame-archive-keyring.gpgOr with single command:
wget -O- https://example.com/key/repo-key.gpg | sudo tee /usr/share/keyrings/reponame-archive-keyring.gpgThat’s how you can easily solve “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead” warning messages on Debian >=11 or Ubuntu >=22.04 Linux systems. We have more articles similar to this one available on below links.
