How to add an OpenPGP repository key, now that apt-key is deprecated

4 weeks ago 7
ARTICLE AD BOX

Jack Wallen shows you how to add GPG repository keys, now that apt-key has been deprecated.

linux penguin

Image: Jack Wallen

For years, I've added repository keys to Ubuntu-based Linux distributions with the apt-key command. But recently, that command was deprecated. If you attempt to add a key with apt-key, such as with the command: 

wget -qO - http://deb.opera.com/archive.key | sudo apt-key add -

Now, you'll see the following warning: "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead." What do you do? 

To install certain applications from non-standard repositories, those keys must be added. How do you add them? Unfortunately, it's not quite as easy as it once was. You'll still be issuing a command that pipes the downloaded file into another command, with the help of sudo. 

SEE: A guide to The Open Source Index and GitHub projects checklist (TechRepublic Premium)

The confusing part is that you'll no longer use apt, in any way, to add the key. You'll be adding the key to your keyring. Let's stick with our Opera example, although installing Opera via their .deb package automatically installs and configures their repository for you. 

The new way to install the GPG key pipes the output of wget through the tee command like: 

so wget -O- http://deb.opera.com/archive.key | sudo tee /usr/share/keyrings/opera-archive-keyring.gpg

The one caveat is if the key is encrypted, you'll need to first pipe the output through gpg and then through tee

That command would look something like: 

wget -O- http://deb.opera.com/archive.key | gpg --dearmor | sudo tee /usr/share/keyrings/opera-archive-keyring.gpg 

Running the command without the gpg portion will save a text file with the GPG key, whereas running the command with the gpg portion saves a binary file. 

To make sure Apt can use the key, you need to configure the repository to know where it is. A repository configuration for our Opera example would look something like: 

deb [signed-by=/usr/share/keyrings/opera-archive-keyring.gpg]

It's not nearly as simple as it once was, but it's more secure, and that has become crucial in this day of constant attacks and vulnerabilities.

Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Open Source Weekly Newsletter

You don't want to miss our tips, tutorials, and commentary on the Linux OS and open source applications. Delivered Tuesdays

Sign up today

Also see

Read Entire Article