Fixing apt-key deprecation on Debian 9 ("stretch")
Recently apt-key has been deprecated, which has meant that running apt update on my Debian 9 (“stretch”) machine started giving out warnings such as Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8). In these notes are documented how I fixed these warnings for:
Overview §
The general process is, for each application:
- Find the key (usually on the application’s website somewhere).
- Install the key to
/usr/share/keyrings/<application>-archive-keyring.gpg. * Depending upon whether the key is ASCII, non-ASCII or a keyserver affects how we install the key. - Update
/etc/apt/sources.list.d/<application>.listto add[signed-by=/usr/share/keyrings/<application>-archive-keyring.gpg]. - Run
apt-key delto delete the key from/etc/apt/trusted.gpg.
The process for each application is detailed below, since there are some special steps.
Dropbox §
Add to keyring §
Dropbox have a keyserver, as mentioned in their official installation guide for Linux. However, when I tried to use their suggested keyserver pgp.mit.edu I always got an error:
$ sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver pgp.mit.edu --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
gpg: keyserver receive failed: No data
This can be fixed by using the keyserver hkp://keyserver.ubuntu.com:80, which I found mentioned here:
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/dropbox-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
Next, open dropbox.list for editing:
sudo nano /etc/apt/sources.list.d/dropbox.list
And add [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg] after deb so it looks like:
deb [signed-by=/usr/share/keyrings/dropbox-archive-keyring.gpg] https://linux.dropbox.com/debian stretch main
Remove from /etc/apt/trusted.gpg §
Now we need to remove the Dropbox key from /etc/apt/trusted.gpg. First we need to find the key:
$ apt-key list | grep dropbox --before=2
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub rsa2048 2010-02-11 [SC]
1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E
uid [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>
Take the last 8 characters of the key (i.e. 1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E → 5044912E) and then delete it:
$ sudo apt-key del 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Sublime Text §
Add to keyring §
Sublime Text provides an ASCII key, so we can add it with:
curl https://download.sublimetext.com/sublimehq-pub.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sublime-text-archive-keyring.gpg
Now we open sublime-text.list for editing:
sudo nano /etc/apt/sources.list.d/sublime-text.list
And add the signed-by section:
deb [signed-by=/usr/share/keyrings/sublime-text-archive-keyring.gpg] https://download.sublimetext.com/ apt/stable/
Remove from /etc/apt/trusted.gpg §
Find the key in apt-key list:
$ apt-key list | grep sublime --before=2
pub rsa4096 2017-05-08 [SCEA]
1EDD E2CD FC02 5D17 F6DA 9EC0 ADAE 6AD2 8A8F 901A
uid [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
Remove the key:
$ sudo apt-key del 8A8F901A
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Enpass §
Add to keyring §
The official Linux install instructions are for apt-key, which is deprecated. However, from it we can see they provide an ASCII key. So we can install it with:
curl https://dl.sinew.in/keys/enpass-linux.key | gpg --dearmor | sudo tee /usr/share/keyrings/enpass-archive-keyring.gpg
Open enpass.list for editing:
sudo nano /etc/apt/sources.list.d/enpass.list
And add the signed-by section:
deb [signed-by=/usr/share/keyrings/enpass-archive-keyring.gpg] http://repo.sinew.in/ stable main
Remove from /etc/apt/trusted.gpg §
Find the key in apt-key list:
$ apt-key list | grep enpass --before=2
pub rsa2048 2015-05-02 [SC]
B6DA 722E 2E65 721A F54B 9396 6F75 6587 9798 C2FC
uid [ unknown] Enpass Packaging Team <package@enpass.io>
Remove the key:
$ sudo apt-key del 9798C2FC
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
NodeJS (Node Source) §
Add to keyring §
Node Source does seem to have the most up-to-date instructions, though they omit -archive-keyring.gpg from the keyring name. For consistency I prefer to use the same format as all the previous applications, so adjusted their instructions to:
curl https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource-archive-keyring.gpg
Open nodesource.list for editing:
sudo nano /etc/apt/sources.list.d/nodesource.list
And add the signed-by section to both lines:
deb [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main
deb-src [signed-by=/usr/share/keyrings/nodesource-archive-keyring.gpg] https://deb.nodesource.com/node_10.x stretch main
Remove from /etc/apt/trusted.gpg §
Find the key in apt-key list:
$ apt-key list | grep nodesource --before=2
pub rsa4096 2014-06-13 [SC]
9FD3 B784 BC1C 6FC3 1A8A 0A1C 1655 A0AB 6857 6280
uid [ unknown] NodeSource <gpg@nodesource.com>
Remove the key:
$ sudo apt-key del 68576280
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Conclusion §
That’s it! Now you can run apt update and there will be no more deprecation warnings for these applications.
Appendix §
Full apt update warning prior to fix §
$ sudo apt update
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:2 http://repo.sinew.in stable InRelease
Ign:3 http://ftp.us.debian.org/debian stretch InRelease
Hit:4 https://deb.nodesource.com/node_10.x stretch InRelease
Hit:5 http://ftp.us.debian.org/debian stretch-updates InRelease
Ign:6 http://linux.dropbox.com/debian stretch InRelease
Hit:7 http://ftp.us.debian.org/debian testing InRelease
Hit:8 http://ftp.us.debian.org/debian stretch Release
Get:9 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [759 kB]
Ign:10 http://httpredir.debian.org/debian stretch InRelease
Hit:11 https://download.sublimetext.com apt/stable/ InRelease
Hit:12 http://linux.dropbox.com/debian stretch Release
Hit:13 http://httpredir.debian.org/debian stretch Release
Fetched 812 kB in 2s (434 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: http://repo.sinew.in/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://deb.nodesource.com/node_10.x/dists/stretch/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.sublimetext.com/apt/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://linux.dropbox.com/debian/dists/stretch/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
References §
- See this article for more details.
- See this question for a summary of the general steps.