Home » How-to » How to Fix Key is Stored in Legacy trusted.gpg Keyring in Ubuntu

How to Fix Key is Stored in Legacy trusted.gpg Keyring in Ubuntu

You may see the "Key is stored in legacy trusted.gpg keyring" or "apt-key is deprecated" error when you update your system or install new third-party repositories using apt-key or apt-add-repository utilities. Generally, these are not errors, but only warnings and everything will work as expected.

But if you want this warning to disappear, you can fix it. This article will dive into why Apt prints this warning and how to avoid it.

Where is the Issue

This warning means that a key for a third-party repository is stored in deprecated storage /etc/apt/trusted.gpg. It reminds the case of moving third-party repositories settings from /etc/sources.list into /etc/sources.list.d/, which happened a few years ago. But that's not the only reason.

All packages from third-party repositories, which you can add to your system, should be signed using the GPG key. And this key must be trusted by your system. So, when you want to add a new repository into your system, you add not only a record about it in /etc/apt/sources.list.d, but also its key, which used to be saved into /etc/apt/trusted.gpg by default.

It works, but the problem is that apt fully trusts the keys from this location (and from /etc/apt/trusted.gpg.d too). All these keys can be used to sign packages in any repository. For example, the key from Elasticsearch can be used for signing MySQL packages. Developers think that it is a security issue, and, as a result packages from the official repositories may be replaced by malicious ones from third-party repositories. They want to stop using cross-signing and use only their key to check the signature of packages. It can protect official repository packages from replacement.

It is a reasonable approach. But it seems that at the moment of writing, the protection mechanism is not implemented yet in Ubuntu 22.04 or Debian 11 by default. Even if you place keys correctly, sensitive packages can be overridden. So, I think it is the first step for adding this feature in the future. If I'm wrong and you know how to get this protection working, tell me about it in the comments section.

Now, let's have a look at how to deal with GPG keys. First of all, each third-party repository should have a key that will be used to check the signature for its packages. To achieve this, developers recommend saving keys for each package in separate files. But do not use the /etc/apt/trusted.gpg.d directory. There is the /etc/apt/keyrings directory for additional keys. After placing a key in the directory, you should configure the path to the key using the signed-by option in the /etc/apt/sources.list.d/*.list file.

At the moment, the apt-key command is deprecated. The /etc/apt/trusted.gpg key storage is deprecated too. But you can still store keys in /etc/apt/trusted.gpg.d, and a lot of repositories use this possibility. However, some use a new approach. For example, Elasticsearch official repo. It does not make a serious change, but it is the first step to doing things properly.

How to fix Key is Stored in Legacy trusted.gpg Keyring

You may notice that in many earlier tutorials authors recommend using apt-key for adding a repository key. But now you will see only the gpg command in all new tutorials. Actually, the apt-key command is a wrapper for gpg command that automatically provides the required parameters. Now we need to do everything explicitly.

There are no changes to the system, and you can use new commands in old distribution releases.

So, if you want to remove this warning, avoid it in the future, and do all things in the right way, you need to follow a few steps:

  • Forget about apt-key and add all keys manually using gpg.
  • Forget about apt-add-repository and add PPA manually.
  • Move all keys from /etc/apt/trusted.gpg/ to /etc/apt/keyrings and specify the path to the key for each third-party repository.

Let's start with the last step and move all keys for third-party repositories from trusted.gpg into the /etc/apt/keyrings folder.

Moving Keys into /etc/apt/keyrings (Proper Way)

If you want to remove the deprecation message about legacy key storage and improve the security of your system in the future, move all keys for third-party repositories from trusted.gpg into the /etc/apt/keyrings folder. Then, specify the path to the key for each repository in /etc/apt/sources.list.d.

First of all, find all keys which you want to move. Use the following command to do this:

sudo apt-key list

You will see all keys installed in your system. Find only keys that are stored in the trusted.gpg file. Usually, all keys are grouped by files, and ones from the trusted.gpg are located at the top of the list. In the example, this is a key for the MySQL repository. You can also see the key for Google Chrome repository, but it is placed into trusted.gpg.d, and apt is satisfied with this. But you can move this key too if you want to improve the security of your system.

Find a line that starts with pub. There will be the fingerprint of the key above that line. Take the last eight chars from the fingerprint and remove spaces. Now you have the key identifier, that can be used to export it. In this case, it is 3A79BD29. Run the following command to export the key with ID 3A79BD29:

sudo apt-key export 3A79BD29 | sudo gpg --dearmour -o /etc/apt/keyrings/mysql.gpg

The file name does not matter, but it will be better when it helps understand which repository the key belongs to.

Repeat this procedure for each key that is stored in the trusted.gpg file. After it, you must specify the path to key for each repository. In this example, the repository was added in the /etc/apt/sources.list.d/mysql.list file. Add the signed-by option with the path to the key for each line in this file which starts with deb. For example:

deb [signed-by=/etc/apt/keyrings/mysql.gpg] https://….

If there are any other options, each new variant must be separated by a comma. After it you can delete the key from the legacy storage:

sudo apt-key del 3A79BD29

When everything is done, you can run the update command and check that there are no warnings any more:

sudo apt update

Moving Keys into /etc/apt/trusted.gpg.d/ (Acceptable Way)

As I said before, at the moment, only the trusted.gpg file is considered deprecated for key storing. If you don't want to specify the signed-by option for each repository, you can just move keys into the /etc/apt/trusted.gpg.d folder. They still can be used for checking the signature of all repositories, but apt will not warn you about this. The algorithm is the same as in the previous section.

First, find all keys which are stored in the trusted.gpg file:

sudo apt-key list

Then, export each key in the trusted.gpg.d folder:

sudo apt-key export 3A79BD29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql.gpg

And remove it from the legacy storage:

sudo apt-key del 3A79BD29

In this case, you are not required to specify a signed-by option for each repository. They are already trusted by apt for all repositories.

If you choose this approach, you can skip the next sections. The apt-key utility in the last versions of Ubuntu will place keys for third-party repositories into /etc/apt/trusted.gpg.d. So it is enough to convert old keys. If you want to configure keys as it is recommended by Ubuntu developers, feel free to read the following section.

How to Add Key without apt-key

At this moment the apt-key command is deprecated. It is not recommended to use apt-key for adding keys to your system. Use the gpg command instead. Note that keys can be provided in two formats: ASCII with a .asc extension and binary with a .gpg extension. But apt supports only binary keys with a .gpg extension.

So in many cases, you can't just copy the downloaded key into /etc/apt/trusted.gpg.d or /etc/apt/keyrings folders. Usually, keys are distributed in the ASCII format. You must convert it using gpg. Let's have a look at the full process of adding the Google Chrome repository. Download the key:

wget https://dl.google.com/linux/linux_signing_key.pub

Then, convert it into binary format and save it:

cat linux_signing_key.pub | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/chrome.gpg

You can do the same in one command:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo gpg --dearmor -o /etc/apt/keyrings/chrome.gpg

After it, add the singed-by option with the path to the key into the repository configuration. For Google Chrome the command will look like this:

sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/chrome.gpg] http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google.list'

After it, you can check that everything works fine and your system discovered the key.

If the key is distributed in binary format, you can copy it into the required folder.

wget -q -O - https://url | sudo tee /etc/apt/trusted.gpg.d/reponame.gpg

How to Add PPA without apt-add-repository

The apt-add-repository command uses apt-key for adding keys. So you can't use this tool for adding PPA or other repos. There is no simple way to get the repository URL and it's key in the command line. But you can find all required data on the repository's page on launchpad.net. Just expand Technical details about this PPA section. It is located under the section with commands for adding a repository. For example, Firefox PPA:

Here you can see the fingerprint of the key. In this case, it is AF316E81A155146718A6FBD7A6DCF7707EBC211F. You can add this key to your system using this command:

sudo gpg --homedir /tmp --no-default-keyring --keyring /etc/apt/keyrings/firefox.gpg --keyserver keyserver.ubuntu.com --recv-keys AF316E81A155146718A6FBD7A6DCF7707EBC211F

After it, add a record about this repository into /etc/sources.list.d. Choose a version of your distribution on the PPA page and copy lines that are above the key:

Create the /etc/apt/sources.list.d/firefox.list file and paste a copied text into it.

If you have decided to store keys not in /etc/apt/trusted.gpg.d, you also must add the path to the key using the signed-by option. If the key is stored in /etc/apt/keyrings/firefox.gpg the result will look like this:

deb [signed-by=/etc/apt/keyrings/firefox.gpg] https://ppa.launchpadcontent.net/ubuntu-mozilla-security/ppa/ubuntu jammy main deb-src [signed-by=/etc/apt/keyrings/firefox.gpg] https://ppa.launchpadcontent.net/ubuntu-mozilla-security/ppa/ubuntu jammy main

After it, you can update packages lists and ensure that everything works:

Wrapping Up

Now, you know the meaning of the warning: "Key is stored in legacy trusted.gpg keyring" and how to fix it. The developers have started a serious and important transformation of the security system of the package manager. But it is a bit complicated for using by regular users at the moment.

Adding keys using apt-key or repositories using apt-add-repository is more straightforward than the new approach. Maybe these tools will be updated and support a new key saving approach.

Many repositories already offer correct commands for adding them to your system. For others, you can do everything manually as it described above or continue using apt-key and ignore any warnings.

Rate the Article

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Creative Commons License
The article is distributed under Creative Commons ShareAlike 4.0 license. Link to the source is required .

Leave a Comment