Since upgrade to Ubuntu 22.04 keep seeing those warnings:

W: http://ppa.launchpad.net/yubico/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://updates.signal.org/desktop/apt/dists/xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://repo.skype.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/AtomEditor/atom/any/dists/any/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://apt.syncthing.net/dists/syncthing/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

I already cleared all of them in my Docker images, but somehow I didn’t fix my station.

What’s wrong with the old /etc/apt/trusted.gpg keyring?

ALL keys put there are used to verify ALL the repositories. Why it’s a problem? Because potentially someone can put in one of repositories package signed by key not supposed to be used in this specific repo.

It’s hard to imagine a real world attack but on the other side, possibility to install package that is not verified by repo key is not nice.

So, how to do it?

First, location

We have to figure out where to put those keys and I saw already few options.

  1. /etc/apt/trusted.gpg.d/ It’s not a good idea as this works exactly the same way as the old single db file - authorizes all the repos with keys there.
  2. /usr/share/keyrings/ This path is ok for me, for the keys coming from official distribution, but not to add them manually there…
  3. /etc/apt/keyrings/ This is my preference as it’s left in /etc close to the other repo files. It’s even already created on recent Ubuntu’s.

Second, file name

According to Debian1, those files should be named like something-archive-keyring.asc or something-archive-keyring.ppg (although I see them more often as something-archive-keyring.gpg).

Why there’s a difference in the extension? It depends, if your key is armored[^amored] or not. Armored keys should use .asc extension, binary should use .gpg.

It’s easy to recognize, armored files are in ASCII format and they look like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
... bla bla bla here
-----END PGP PUBLIC KEY BLOCK-----

Complete example

Without de-armoring:

sudo wget -O /etc/apt/keyrings/signal-desktop-archive-keyring.asc

echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/signal-desktop-archive-keyring.asc] https://updates.signal.org/desktop/apt xenial main' |\
sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

With de-armoring:

wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /etc/apt/keyrings/signal-desktop-archive-keyring.gpg > /dev/null

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-archive-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
sudo tee -a /etc/apt/sources.list.d/signal-xenial.list

Remember to verify it with:

sudo apt update

Let’s link 2.

  1. https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_certificate_distributionexternal link  ↩︎

  2. http://www.askapache.com/htaccess/apache-authentication-in-htaccess.htmlexternal link  ↩︎