'Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead
I was installing elasticsearch following this guide, but elasticsearch is not really the part of this question.
In the first step, I need to add the key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
and got the following message:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
The installation process was fine, but since it's deprecated, I'm looking for the new usage that replaces apt-key
. (I have no problem installing the package.) From man apt-key
I saw
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
...
Binary keyring files intended to be used with any apt version should therefore always be created with gpg --export.
but it didn't say the alternative to apt-key add
. I tried
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --export
but didn't work. So what do I use after the pipe of wget
when apt-key
is removed?
Solution 1:[1]
Adding a key to /etc/apt/trusted.gpg.d
is insecure because it adds the key for all repositories.
This is exactly why apt-key had to be deprecated.
Short version
Do what Signal does.
If you want to use the key at https://example.com/EXAMPLE.gpg
for a repository listed in /etc/apt/sources.list.d/EXAMPLE.list
, use:
wget -O- https://example.com/EXAMPLE.gpg |\
gpg --dearmor > /usr/share/keyrings/EXAMPLE.gpg
echo "deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |\
sudo tee /etc/apt/sources.list.d/EXAMPLE.list
# Optional (you can find the email address / ID using `apt-key list`)
sudo apt-key del [email protected]
Long version
While the deprecation notice recommends adding the key to /etc/apt/trusted.gpg.d
, this is an insecure solution. To quote this article from Linux Uprising:
The reason for this change is that when adding an OpenPGP key that's used to sign an APT repository to
/etc/apt/trusted.gpg
or/etc/apt/trusted.gpg.d
, the key is unconditionally trusted by APT on all other repositories configured on the system that don't have asigned-by
(see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to/etc/apt/trusted.gpg
or/etc/apt/trusted.gpg.d
can replace any package on the system. So this change was made for security reasons (your security).
The proper solution is explained in that Linux Uprising article and on the Debian Wiki: Store the key in /usr/share/keyrings/
, and then reference the key in the apt source list.
Therefore, the appropriate method is as follows:
- Download the key from
https://example.com/EXAMPLE.gpg
and store it in/usr/share/keyrings/EXAMPLE.gpg
. The Debian wiki explains that you should dearmor the key (i.e. convert it from base64 to binary) for compatibility with older software.wget -O- https://example.com/EXAMPLE.gpg |\ gpg --dearmor > /usr/share/keyrings/EXAMPLE.gpg
- Add the key to the source file that is used by the repository.
Find the appropriate file in
/etc/apt/sources.list.d/
and edit it so that it links to the keyring you just added. If the file doesn't exist, you can make one. In the end, it should look something like this:deb [signed-by=/usr/share/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
- Remove the key from
apt-key
, if it was added before. Runsudo apt-key list
to list all the keys, and find the one that was previously added. Using the key's email address or fingerprint, runsudo apt-key del [email protected]
.
Solution 2:[2]
answer found here : https://suay.site/?p=526
in short :
retrieve the key and add the key :
curl -s URL | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/NAME.gpg --import
authorize the user _apt :
sudo chown _apt /etc/apt/trusted.gpg.d/NAME.gpg
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | FWDekker |
Solution 2 | dvtkrlbs |