5

I have quite some scripts that are still using the apt-key adv command. And I know this command is deprecated. And soon becoming unable to use.
Correct me if I'm wrong, but Debian 11 is the last Debian version supporting apt-key.

I also know we need to migrate to fetching the .asc file directly and put the file into the /etc/apt/trusted.gpg.d/ folder.

How do I convert from the command below to a wget of this .asc file? Where can I find the .asc files I need? Are those .asc files even provided by Linux Mint / X2Go or other repos?

The command I use for downloading keys at the moment is:

First example: apt-key adv --recv-keys --keyserver keyserver.ubuntu.com A6616109451BBBF2
Second example: apt-key adv --recv-keys --keyserver keyserver.ubuntu.com E1F958385BFE2B6E

How do I retrieve the .asc (or .gpg) files from those repos?

Improve this question
1
  • Unrelated to my question. I still want to mention the following. There are key mirrors servers, instead of keyserver.ubuntu.com you could also try keys.openpgp.org.
    – Melroy van den Berg
    Commented Dec 20, 2021 at 0:09

2 Answers 2

Reset to default
3

I also know we need to migrate to fetching the .asc file directly and put the file into the /etc/apt/trusted.gpg.d/ folder.

Place keyrings in /usr/share/keyrings/, NOT /etc/apt/trusted.gpg.d/.

While the apt-key warning message says to place keys in trusted.gpg.d, Debian's "Instructions to connect to a third-party repository" (from which I will quote extensively) explicitly say not to do this:

The keyrings must be stored in "...a location only writable by root, which SHOULD be /usr/share/keyrings/. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add."

Keyrings must be in binary .gpg format instead of ascii-armored .asc format.

"The reason why we avoid ASCII-armored files is that they can only be used by SecureApt in version 1.4 or later (which appeared in stretch)."

Each 3rd party repo needs its sources file in /etc/apt/sources.list.d/ which should include the signed-by option.

"Entries MUST be added in the /etc/apt/sources.list.d directory using a shortened repository name (e.g. deriv.list). The "Deb822" file format MAY be used instead to improve clarity for complex entries (e.g. deriv.sources). (See sources.list(5)) "

Each 3rd Party repo should also have a prefrences file in /etc/apt/preferences.d/.

"When a repository is added to the sources.list.d, a matching preferences file SHOULD be created to restrict the possible effects of the repository."

Where can I find the .asc files I need?

The most convenient way, assuming you already know the key ID or fingerprint, is to use GnuPG to retrieve them from a keyserver. In the case of the current Linux Mint and X2go repo signing keys:

gpg --keyserver keyserver.ubuntu.com --recv-keys 302F0738F465C1535761F965A6616109451BBBF2 972FD88FA0BAFB578D0476DFE1F958385BFE2B6E

From there you can export them to the correct binary .gpg file in /usr/share/keyrings (though I would first check to see if the keyrings are already there):

gpg --export 302F0738F465C1535761F965A6616109451BBBF2 | sudo tee /usr/share/keyrings/linuxmint-archive-keyring.gpg
gpg --export 972FD88FA0BAFB578D0476DFE1F958385BFE2B6E | sudo tee /usr/share/keyrings/x2go-archive-keyring.gpg

Are those .asc files even provided by Linux Mint / X2Go or other repos?

They are usually provided as a .deb package to allow automatic updating to new signing keys when they are issued. You'll have to search through the package tree to find the exact location, which in the case of Linux Mint is http://packages.linuxmint.com/pool/main/l/linuxmint-keyring/linuxmint-keyring_2016.05.26_all.deb.

Improve this answer
8
  • Thank you so much! I didn't know that I had made so many wrong assumptions and read wrong information in blog posts, with just a single question. I think you nailed my question, I mark your answer as accepted! Furthermore, I just noticed I'm missing a lot of pref files in /etc/apt/preferences.d/ oopsy :). Moreover, I really hope this answer will help a lot of users in the near future. I suspect some more discussions once apt-key officially gets removed. I know people only start noticing the issue if its too late (=when apt-key is actually removed).
    – Melroy van den Berg
    Commented Dec 19, 2021 at 23:58
  • I have a follow-up question. I try to use this command within a Dockerfile (based on a Debian image). But the output pipes into the console: Step 13/40 : RUN gpg --export 302F0738F465C1535761F965A6616109451BBBF2 | tee /usr/share/keyrings/linuxmint-archive-keyring.gpg ---> Running in 2504650c3b40 "����̩u
    – Melroy van den Berg
    Commented Dec 20, 2021 at 0:35
  • To answer my own follow-up question above. For now I just pipe the output to /dev/null. I think that is fine: ` > /dev/null`.
    – Melroy van den Berg
    Commented Dec 20, 2021 at 0:37
  • I have a second follow-up. But I now get during the apt install commands: W: GPG error: http://packages.x2go.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E1F958385BFE2B6E E: The repository 'http://packages.x2go.org/debian bullseye InRelease' is not signed. W: GPG error: http://packages.linuxmint.com debbie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A6616109451BBBF2 E: The repository 'http://packages.linuxmint.com debbie Release' is not signed.
    – Melroy van den Berg
    Commented Dec 20, 2021 at 0:39
  • 1
    @MelroyvandenBerg for the public key is not available errors, is there a /etc/apt/sources.list.d/x2go.list file with the line deb [signed-by=/usr/share/keyrings/x2go-archive-keyring.gpg] http://packages.x2go.org/debian bullseye InRelease or deb822 format equivalent?
    – fuzzydrawrings
    Commented Dec 20, 2021 at 21:44
2

The apt-key-less equivalent to your apt-key adv command is

gpg --recv-keys --keyserver keyserver.ubuntu.com A6616109451BBBF2
gpg --export A6616109451BBBF2 | sudo tee /etc/apt/trusted.gpg.d/somenicename.gpg

This assumes that gpg is installed.

There’s no general rule regarding the availability of keyring files; if you have a download URL, you can use

sudo /usr/lib/apt/apt-helper download-file https://example.org/path/to/repokeyring.asc /etc/apt/trusted.gpg.d/repokeyring.asc

See Julian Klode’s Migrating away from apt-key post for details, and the section in the Debian 11 release notes on obsolete components:

bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .