apt-key deprecation and secure repository management

The apt-key utility for managing APT repository keys has been deprecated in Debian and Ubuntu systems, requiring users to adopt more secure methods for adding third-party repositories.

Why apt-key was deprecated

The apt-key command was deprecated for critical security reasons. When you added a key using apt-key add, it was stored in the system-wide trusted keyring (/etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/), making that key trusted for all repositories on your system. This created a security vulnerability where any third-party repository could potentially sign packages that replace essential system packages.

The warning message you see:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead

Indicates that while the current method still works, it will be removed in future versions and should be replaced with more secure alternatives.

Recommended solution: repository-specific keyring files

The secure approach involves storing repository keys separately and explicitly associating them with specific repositories using the signed-by option.

Basic method using .list files

For most use cases, this method provides a good balance of security and simplicity:

# Create the keyrings directory if it doesn't exist
sudo mkdir -p /etc/apt/keyrings

# Download and prepare the key
curl -fsSL https://example.com/EXAMPLE.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/example.gpg

# Add the repository with explicit key reference
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main" | sudo tee /etc/apt/sources.list.d/example.list

# Update package lists
sudo apt update

Advanced method using DEB822 format

For newer systems (Debian 9+/Ubuntu 16.04+), the DEB822 format offers better readability and functionality:

# Create the sources file with embedded key reference
echo "Types: deb
URIs: https://example.com/apt
Suites: stable
Components: main
Signed-By: /etc/apt/keyrings/example.gpg" | sudo tee /etc/apt/sources.list.d/example.sources > /dev/null

TIP

The .sources format (DEB822) is becoming the standard and offers better support for complex repository configurations with multiple components, architectures, and options.

Practical examples

Elasticsearch repository

Instead of the deprecated:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Use:

# Create key directory
sudo mkdir -p /etc/apt/keyrings

# Download and prepare Elasticsearch key
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /etc/apt/keyrings/elasticsearch.gpg

# Add repository
echo "deb [signed-by=/etc/apt/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/elasticsearch/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch.list

# Update
sudo apt update

Kubernetes repository

sudo mkdir -p /etc/apt/keyrings

curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/kubernetes.gpg] http://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list > /dev/null

sudo apt update

Yarn repository

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/yarn.gpg

echo "deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list

Key embedded in sources file (advanced)

For systems with apt 2.3.10+ (Debian 12/Ubuntu 22.04+), you can embed the key directly in the sources file:

echo "Types: deb
URIs: https://example.com/apt
Suites: stable
Components: main
Signed-By:
$(curl -fsSL https://example.com/EXAMPLE.gpg | sed -e 's/^$/./' -e 's/^/ /')" | sudo tee /etc/apt/sources.list.d/example.sources > /dev/null

WARNING

When embedding keys, ensure each line of the key block is indented with at least one space, and replace empty lines with a single indented dot (.).

Handling existing apt-key entries

If you previously added keys with apt-key, you should migrate them:

1. List existing keys:

   sudo apt-key list

2. Remove the old key (using the email or ID from the list):

   sudo apt-key del support@example.com

3. Follow the appropriate method above to add the key securely.

Troubleshooting common issues

Permission problems

If you encounter permission errors, explicitly set the correct permissions:

sudo chmod 644 /etc/apt/keyrings/example.gpg
sudo chmod 644 /etc/apt/sources.list.d/example.list

Missing keyring directory

Some older systems might not have the /etc/apt/keyrings directory. Create it with proper permissions:

sudo mkdir -m 0755 -p /etc/apt/keyrings

Repository-specific errors

If you're fixing a specific repository error (like one showing NO_PUBKEY), you can often retrieve the key directly from a keyserver:

# Get the key from keyserver
gpg --keyserver keyserver.ubuntu.com --recv-keys KEY_ID

# Export and prepare it
gpg --export KEY_ID | sudo gpg --dearmor -o /etc/apt/keyrings/repository.gpg

Security best practices

1. Always use repository-specific keyring files instead of adding keys to the global trusted keyring
2. Verify the source of any GPG key before adding it to your system
3. Prefer HTTPS URLs for both repositories and keys when available
4. Regularly review your added repositories and remove unused ones
5. Consider using the DEB822 format (.sources files) for better maintainability

Migration tool

For systems with apt 2.9.24+, you can use the built-in migration tool:

sudo apt modernize-sources

This command attempts to automatically convert old-style .list files to the newer DEB822 format.

By adopting these secure practices, you maintain your system's security while still benefiting from third-party repositories. The new approach ensures that each repository's key only validates packages from that specific repository, significantly reducing the attack surface for package management on your system.