skip to Main Content

I was installing elasticsearch following this guide, but elasticsearch is not really the part of this question.

In the first step, I need to add the key:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

and got the following message:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

The installation process was fine, but since it’s deprecated, I’m looking for the new usage that replaces apt-key. (I have no problem installing the package.) From man apt-key I saw

apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.

Binary keyring files intended to be used with any apt version should
therefore always be created with gpg –export.

but it didn’t say the alternative to apt-key add. I tried

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --export

but didn’t work. So what do I use after the pipe of wget when apt-key is removed?

10

Answers


  1. !!Deprecated & insecure!!

    answer found here :
    https://suay.site/?p=526

    in short :

    retrieve the key and add the key :

    curl -s URL | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/NAME.gpg --import
    

    authorize the user _apt :

    sudo chown _apt /etc/apt/trusted.gpg.d/NAME.gpg
    
    Login or Signup to reply.
  2. Adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is exactly why apt-key had to be deprecated.

    Short version

    Do similar to what Signal does.
    If you want to use the key at https://example.com/EXAMPLE.gpg for a repository listed in /etc/apt/sources.list.d/EXAMPLE.list, use:

    sudo mkdir -p /etc/apt/keyrings/
    wget -O- https://example.com/EXAMPLE.gpg |
        gpg --dearmor |
        sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
    
    echo "deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" |
        sudo tee /etc/apt/sources.list.d/EXAMPLE.list
    
    # Optional (you can find the email address / ID using `apt-key list`)
    sudo apt-key del [email protected]
    

    Long version

    While the deprecation notice recommends adding the key to /etc/apt/trusted.gpg.d, this is an insecure solution. To quote this article from Linux Uprising:

    The reason for this change is that when adding an OpenPGP key that’s used to sign an APT repository to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT on all other repositories configured on the system that don’t have a signed-by (see below) option, even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository which has its signing key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. So this change was made for security reasons (your security).

    The proper solution is explained in that Linux Uprising article and on the Debian Wiki: Store the key in /etc/apt/keyrings/ (or /usr/share/keyrings/ if you’re the package maintainer), and then reference the key in the apt source list.

    Therefore, the appropriate method is as follows:

    1. Download the key from https://example.com/EXAMPLE.gpg and store it in /etc/apt/keyrings/EXAMPLE.gpg.
      The Debian wiki explains that you should dearmor the key (i.e. convert it from base64 to binary) for compatibility with older software. The > /dev/null simply stops the binary key from being displayed in your terminal.

      wget -O- https://example.com/EXAMPLE.gpg |
          gpg --dearmor |
          sudo tee /etc/apt/keyrings/EXAMPLE.gpg > /dev/null
      

      Optionally, you can verify that the file you downloaded is indeed a PGP key by running file /etc/apt/keyrings/EXAMPLE.gpg and inspecting the output.

    2. Add the key to the source file that is used by the repository.
      Find the appropriate file in /etc/apt/sources.list.d/ and edit it so that it links to the keyring you just added.
      If the file doesn’t exist, you can make one.
      In the end, it should look something like this:

      deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
      
    3. Remove the key from apt-key, if it was added before.
      Run sudo apt-key list to list all the keys, and find the one that was previously added.
      Using the key’s email address or fingerprint, run sudo apt-key del [email protected].

    Using the newer DEB822 format

    In step 2, instead of using the one-line format for sources in sources.list.d, you can also use the newer multi-line format called DEB822. This format is easier to read for humans and computers, and has been available in apt since 2015. Debian and Ubuntu plan to use DEB822 as the default format starting late 2023. Repolib’s documentation has a nice comparison and covers the motivation behind the new format.. Note that some external tools that parse the source files themselves instead of wrapping around apt do not fully support this format yet.

    To switch to this format, let’s say you have the following one-line format source file /etc/apt/sources.list.d/example.list:

    deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main
    

    Comment out this line, and create a new file, /etc/apt/sources.list.d/example.sources, containing:

    Types: deb
    URIs: https://example.com/apt
    Suites: stable
    Components: main
    Signed-By: /etc/apt/keyrings/EXAMPLE.gpg
    

    Run sudo apt update, and if you see example.com/apt correctly being updated, you can remove the old /etc/apt/sources.list.d/example.list.

    Additional resources

    Login or Signup to reply.
  3. As mentioned in current accepted answer, adding a key to /etc/apt/trusted.gpg.d is insecure because it adds the key for all repositories. This is why apt-key is giving this warning.

    You can use a simpler solution like following:

    curl -fsSL https://example.com/EXAMPLE.gpg | sudo gpg --dearmor -o /usr/share/keyrings/EXAMPLE.gpg
    
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/EXAMPLE.gpg] 
     https://example.com/apt stable main" 
    | sudo tee -a /etc/apt/sources.list.d/EXAMPLE.list > /dev/null
    
    sudo apt update
    sudo apt install <package-name>
    
    Login or Signup to reply.
  4. I got his warning when trying to install nodejs and npm in Ubuntu 20.04

    To be more precise:

    Instead of this:

    curl -sSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - 
    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list 
    

    Use this:

    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarn.gpg >/dev/null 
    echo "deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list 
    

    So the full installtion script looked like this:

    apt-get install -y nodejs 
    apt-get install -y npm gnupg2 
    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarn.gpg >/dev/null 
    echo "deb [signed-by=/usr/share/keyrings/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list 
    
    Login or Signup to reply.
  5. MX Linux has a utility script called "MX Fix GPG keys" that takes care of this. Since it’s just a bash script it most likely works fine with any other Debian based distro.

    It’s here https://github.com/MX-Linux/checkaptgpg

    Login or Signup to reply.
  6. Experienced this error recently while trying to install Jenkins on my EC2 instance. However, I was able to resolve it by following the steps below:

    1. Add a repository key to your system by running:

    "wget -q -O – https://pkg.jenkins.io/debian-stable/jenkins.io.key |sudo gpg –dearmor -o /usr/share/keyrings/jenkins.gpg"

    You may have to replace jenkins with the package/software you want to install.

    1. Attach the Debian package repo address to the server’s sources.list by running:

    "sudo sh -c ‘echo deb [signed-by=/usr/share/keyrings/jenkins.gpg] http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list’"

    1. Run:

    "apt update"

    So apt will use the newly created repo.

    1. Go on to attempt/reattempt your installation.

    Hope this helps :).
    Source: https://www.digitalocean.com/community/tutorials/how-to-install-jenkins-on-ubuntu-22-04

    Login or Signup to reply.
  7. Another sample snippet, resolving the issue using updated deb822 format:

    { echo 'Types: deb'
      echo 'URIs: https://dl.k6.io/deb'
      echo 'Suites: stable'
      echo 'Components: main'
      echo 'Signed-By:'
      set -eo pipefail
      KEY=C5AD17C747E3415A3642D57D77C6C491D6AC1D69
      curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY" 
        | sed -e 's/^$/./g;s/^/ /g' 
    } | sudo tee /etc/apt/sources.list.d/k6.sources
    
    sudo apt-get update && sudo apt-get install k6
    

    In this case, I’m installing k6.io CLI on Ubuntu 22.04 LTS. Adapt as you see fit.

    Notice the .sources — not .list!

    The benefit of deb822 is that the package-signing pubkey gets put inline in the sources-file (and validates only this repo’s packages — which is more secure than trusting it with all other repos).
    Being inline in the file saves another | sudo tee hoop:

    Types: deb
    URIs: https://dl.k6.io/deb
    Suites: stable
    Components: main
    Signed-By:
     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: Hockeypuck 2.1.0-189-g15ebf24
     Comment: Hostname: 
     .
     xsFNBGBLRGQBEADCqEcl4YKYLAW8p/rEzBrDLi8fewyqPTLFWosWeu1a4fKzPcW8
     ggl/pjRcXxAxgCt1EhX9bjOrzavdnfnKLYuNkwR0vLWZtNEhAsOovsDzFF6n+WsN
     jtxL9nBZZ/7tgImxMUds8EXotx3R0Le5kbW0QWaWK8NDNayUChGF4ijM1dcacefA
     1ObrQvEKMybdFMxQM+oQjLeIe8TARaoATeLXh/LprNHqDWSAqE3KogChAMykp10i
    ...
    

    Had to whip up the above, because their official instructions got broken yet again.

    Login or Signup to reply.
  8. Fast way to fix this for Linux users with a UI:

    1. Search for the PPA and do sudo add-apt-repository ppa:[MY_PPA] (the new PPA with keyring is added automatically and up to date)

    2. sudo apt update

    3. Navigate to "Software Sources -> PPA" and delete the old PPA (make sure the new one(s) has/have been added correctly with keyring)

    Software Sources

    Login or Signup to reply.
  9. From man apt-key (Ubuntu 22.04)

    If your existing use of apt-key add looks like this:

    wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -

    Then you can directly replace this with (though note the
    recommendation below):

    wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

    Login or Signup to reply.
  10. This also happens for a poor connection, merely a connection impossible through the port used for download, and to be specific: port 80.

    sudo ufw allow port 80

    then retry,
    this can, for some, help.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search