{"id":936,"date":"2022-03-12T14:55:42","date_gmt":"2022-03-12T12:55:42","guid":{"rendered":"https:\/\/valentijn.sessink.nl\/?p=936"},"modified":"2022-03-31T18:16:50","modified_gmt":"2022-03-31T16:16:50","slug":"how-to-fix-trusted-gpg-depreciation","status":"publish","type":"post","link":"https:\/\/valentijn.sessink.nl\/?p=936","title":{"rendered":"how to export keys; trusted.gpg DEPRECIATION"},"content":{"rendered":"\n

If you are getting a “Key is stored in legacy trusted.gpg keyring (\/etc\/apt\/trusted.gpg), see the DEPRECATION section in apt-key(8) for details<\/em>” message, this post is for you. Export existing keys to keep using them.<\/p>\n\n\n\n\n\n\n\n

If you happen to have a few external software repositories in your Ubuntu or Debian Linux setup (and: who doesn’t, these days), you will likely come across a bit of a disturbing message, once you have upgraded your Ubuntu or Debian Linux to 22.04. A “legacy trusted.gpg keyring” doesn’t sound like it’s trustworthy, or does it?<\/p>\n\n\n\n

The reason is simple: trusted.gpg is, in fact, too trustworthy to be trusted: a single key in trusted.gpg can override any package list signature – not just the one you want use it for.<\/p>\n\n\n\n

Now in order to be able to keep using my list of signatures, it was necessary to export the individual keys to individual signature files. Here is what I did.<\/p>\n\n\n\n

First, let’s see which keys we have. Please note that I made some of the output bold<\/strong> to emphasize the parts that we will use later on.<\/p>\n\n\n\n

$ apt-key list\nWarning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).\n\/etc\/apt\/trusted.gpg\n--------------------\npub   rsa2048 2016-09-25 [SC] [expired: 2021-04-18]\n      1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9<\/strong>\nuid           [ expired<\/strong>] isv:ownCloud<\/strong> OBS Project <isv:ownCloud@build.opensuse.org>\n\npub   rsa2048 2015-10-28 [SC]\n      BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF<\/strong>\nuid           [ unknown] Microsoft<\/strong> (Release signing) <gpgsecurity@microsoft.com>\n\npub   rsa4096 2017-04-05 [SC]\n      DBA3 6B51 81D0 C816 F630  E889 D980 A174 57F6 FB06\nuid           [ unknown] Open Whisper Systems <support@whispersystems.org>\nsub   rsa4096 2017-04-05 [E]\n\n\/etc\/apt\/trusted.gpg.d\/ubuntu-keyring-2012-cdimage.gpg\n------------------------------------------------------\npub   rsa4096 2012-05-11 [SC]\n      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092\nuid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>\n\n\/etc\/apt\/trusted.gpg.d\/ubuntu-keyring-2018-archive.gpg\n------------------------------------------------------\npub   rsa4096 2018-09-17 [SC]\n      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C\nuid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com><\/pre>\n\n\n\n
Let’s first remove the expired Owncloud<\/em> key, just for a starter. That’s rather easy. Please note that the last 8 characters serve as the ID for the key:<\/p>\n\n\n\n
$ sudo apt-key del 557BEFF9\nWarning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).\nOK<\/pre>\n\n\n\n
Now let’s export the key for Microsoft; its ID ends with BE12 29CF<\/em>, so we’ll use:<\/p>\n\n\n\n
$ apt-key export BE1229CF|sudo gpg --dearmour -o \/etc\/apt\/keyrings\/microsoft.gpg<\/pre>\n\n\n\n
I’ll change my \/etc\/apt\/sources.list.d\/teams.list file accordingly:<\/p>\n\n\n\n
deb [arch=amd64 signed-by=\/etc\/apt\/keyrings\/microsoft.gpg] https:\/\/packages.microsoft.com\/repos\/ms-teams stable main<\/pre>\n\n\n\n
And finally, we will remove the original signature from trusted.gpg:<\/p>\n\n\n\n
$ sudo apt-key del BE1229CF<\/pre>\n\n\n\n
That’s about it. Try “apt-get update” to see if the exported key is actually accepted.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you are getting a “Key is stored in legacy trusted.gpg keyring (\/etc\/apt\/trusted.gpg), see the DEPRECATION section in apt-key(8) for details” message, this post is for you. Export existing keys to keep using them.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[172,169,171,9,7],"class_list":["post-936","post","type-post","status-publish","format-standard","hentry","category-happy-hacking","tag-apt-key-is-depricated","tag-debian","tag-legacy-trusted-gpg-keyring","tag-linux","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=936"}],"version-history":[{"count":17,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/936\/revisions"}],"predecessor-version":[{"id":984,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/936\/revisions\/984"}],"wp:attachment":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}