Since upgrade to Ubuntu 22.04 keep seeing those warnings:
W: http://ppa.launchpad.net/yubico/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://updates.signal.org/desktop/apt/dists/xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://repo.skype.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/AtomEditor/atom/any/dists/any/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://apt.syncthing.net/dists/syncthing/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
I already cleared all of them in my Docker images, but somehow I didn’t fix my station.
What’s wrong with the old /etc/apt/trusted.gpg
keyring?
ALL keys put there are used to verify ALL the repositories. Why it’s a problem? Because potentially someone can put in one of repositories package signed by key not supposed to be used in this specific repo.
It’s hard to imagine a real world attack but on the other side, possibility to install package that is not verified by repo key is not nice.
So, how to do it?
First, location
We have to figure out where to put those keys and I saw already few options.
It’s not a good idea as this works exactly the same way as the old single db file - authorizes all the repos with keys there./etc/apt/trusted.gpg.d/
This path is ok for me, for the keys coming from official distribution, but not to add them manually there…/usr/share/keyrings/
/etc/apt/keyrings/
This is my preference as it’s left in/etc
close to the other repo files. It’s even already created on recent Ubuntu’s.
Second, file name
According to Debian1, those files should be named like something-archive-keyring.asc
or something-archive-keyring.ppg
(although I see them more often as something-archive-keyring.gpg
).
Why there’s a difference in the extension? It depends, if your key is armored[^amored] or not. Armored keys should use .asc
extension, binary should use .gpg
.
It’s easy to recognize, armored files are in ASCII format and they look like:
-----BEGIN PGP PUBLIC KEY BLOCK-----
... bla bla bla here
-----END PGP PUBLIC KEY BLOCK-----
Complete example
Without de-armoring:
sudo wget -O /etc/apt/keyrings/signal-desktop-archive-keyring.asc
echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/signal-desktop-archive-keyring.asc] https://updates.signal.org/desktop/apt xenial main' |\
sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
With de-armoring:
wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /etc/apt/keyrings/signal-desktop-archive-keyring.gpg > /dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-archive-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
Remember to verify it with:
sudo apt update
Let’s link 2.