how to export keys; trusted.gpg DEPRECIATION

If you are getting a “Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details” message, this post is for you. Export existing keys to keep using them.

If you happen to have a few external software repositories in your Ubuntu or Debian Linux setup (and: who doesn’t, these days), you will likely come across a bit of a disturbing message, once you have upgraded your Ubuntu or Debian Linux to 22.04. A “legacy trusted.gpg keyring” doesn’t sound like it’s trustworthy, or does it?

The reason is simple: trusted.gpg is, in fact, too trustworthy to be trusted: a single key in trusted.gpg can override any package list signature – not just the one you want use it for.

Now in order to be able to keep using my list of signatures, it was necessary to export the individual keys to individual signature files. Here is what I did.

First, let’s see which keys we have. Please note that I made some of the output bold to emphasize the parts that we will use later on.

$ apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub   rsa2048 2016-09-25 [SC] [expired: 2021-04-18]
      1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9
uid           [ expired] isv:ownCloud OBS Project <>

pub   rsa2048 2015-10-28 [SC]
      BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
uid           [ unknown] Microsoft (Release signing) <>

pub   rsa4096 2017-04-05 [SC]
      DBA3 6B51 81D0 C816 F630  E889 D980 A174 57F6 FB06
uid           [ unknown] Open Whisper Systems <>
sub   rsa4096 2017-04-05 [E]

pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <>

pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <>

Let’s first remove the expired Owncloud key, just for a starter. That’s rather easy. Please note that the last 8 characters serve as the ID for the key:

$ sudo apt-key del 557BEFF9
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Now let’s export the key for Microsoft; its ID ends with BE12 29CF, so we’ll use:

$ apt-key export BE1229CF|sudo gpg --dearmour -o /etc/apt/keyrings/microsoft.gpg

I’ll change my /etc/apt/sources.list.d/teams.list file accordingly:

deb [arch=amd64 signed-by=/etc/apt/keyrings/microsoft.gpg] stable main

And finally, we will remove the original signature from trusted.gpg:

$ sudo apt-key del BE1229CF

That’s about it. Try “apt-get update” to see if the exported key is actually accepted.

Leave a Reply

Your email address will not be published. Required fields are marked *