Let me set the stage for you. It’s time to update or upgrade your Linux server or desktop, which should be done regularly without fail. You open the terminal window and run apt-get update, only to be presented with the following warning:
Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Although the above warning will not prevent you from running the upgrade, the apt-key command has been deprecated and will likely someday fail to work. One of the reasons why apt-key has been deprecated is because it could cause the system to accept signatures from third-party keyholders for all other repositories configured on your system that don’t have a signed-by option.
Should that happen, any unofficial apt repository with a signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d could replace any package on the system. That could cause significant security problems down the road, should a third-party repository contain malicious code.
There are two different methods to fix this.
SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)
How to solve the apt-key error the smart way
The first method will take you a bit of time, as it’s manual and requires you to comb through your list of keys. Here’s how.
Open a terminal window and issue the command:
sudo apt-key list
This will produce several entries, depending on how many sources you’ve added to the system, that look like this:
pub rsa4096 2022-01-31 [SC] [expires: 2024-01-31]
DF44 CF0E 1930 9195 C106 9AFE 6299 3C72 4218 647E
uid [ unknown] Vivaldi Package Composer KEY08 <firstname.lastname@example.org>
sub rsa4096 2022-01-31 [E] [expires: 2024-01-31
What you must do is copy the final 8 characters of the second line—in the example above, that would be 4218647E—and then run the command to fix the problem:
sudo apt-key export 4218647E | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/vivaldi.gpg
It’s important to not only change the 8 digits to match the key but also the name at the end of the key. As you can see, the key I’m trying to fix belongs to Vivaldi.
You must do this for every key you receive the apt-key warning. You will receive the same warning, but that’s because you’re using the apt-key command and piping it to the gpg –dearmor command. Once you fix each entry, you will no longer receive that warning when running apt-key update.
How to solve the apt-key error the quick way
Depending on how many keys you have with errors, the above method can take some time. There’s a quicker way to do this. However, this method isn’t officially recommended and could cause problems. I would highly recommend you test this on a non-production machine or at least make a backup or take a snapshot of your virtual machine, if that’s how you deploy Linux, before trying this.
To fix the problem quickly, do the following:
- Open a terminal window.
- Change into the apt directory with cd /etc/apt.
- Copy the trusted.gpg file into the trusted.gpg.d with sudo cp trusted.gpg trusted.gpg.d.
One thing I’ve discovered is that the above method doesn’t work on every machine. For instance, if you’re running Jammy Jellyfish (Ubuntu 22.04), you won’t find trusted.gpg in /etc/apt, but you will find trusted.gpg.d. If that’s the case, you’ll have to do things the manual way.
Either way you go, this is an important fix to undertake because at some point apt-key will refuse to work. When that happens, you might find your Ubuntu Servers and Desktops unable to update or upgrade, and you certainly don’t want that. Upgrades are crucial to keeping your running instances of Linux secure, so get this warning fixed so you don’t have troubles down the road.
Learn more about Ubuntu with The Mastering Linux Development Bundle from TechRepublic Academy.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.