One of the more apparent things to come out of moving from Arch Linux back over to Debian, is that I’m rarely running into any issues. Because I’m not running into any gotchas, it’s been harder to come up with content for my blog, as my time on Arch was a constant source of topics.
That being said, Debian’s no saint, so I do run into things from time to time.
Fortunately, they tend to be very minor, and rarely result in my system being
put into a truly bad state.
Don’t get me wrong though, I did accidentally removed GNOME from a system while trying to get Steam added. Served me right for not thoroughly reading the message that apt
was telling me!
All right, so this particular issue has been happening since my return to Debian
last year. Whenever I run apt update
, some of my apt
sources throw a
warning about the key being stored in the legacy trusted.gpg
keyring.
While this was just a warning, and I’m fairly confident that the issue would end
up fixing itself naturally at some point, I did want to see if I could figure
out how to clear up that error and clean up the messages logged from apt
as
best as I could.
The error message looks something like the following:
% sudo apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:7 http://repository.spotify.com stable InRelease
Ign:8 http://linux.dropbox.com/debian sid InRelease
Get:9 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing InRelease [1,598 B]
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:6 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 1,598 B in 3s (624 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
ZshAt least for me, the issue is with the apt
sources for Dropbox and Slack.
Fortunately, the steps to resolve this can be applied to whichever sources
you’re having trouble with. You’ll simply need to swap in the values for those
particular keys.
Checking the legacy keyring
Luckily, there’s an easy way to see the keys you have in the keyring, as well as which files they reside in. Anything still found in /etc/apt/trusted.gpg
is going to generate the deprecation message. The new format is to store the keys in individual files in /etc/apt/trusted.gpg.d/
.
To get a list of the keys, and which files they are located in, you can runapt-get list
. The follow output has been cleaned up a bit for the sake of this post’s length, but I think you’ll get the idea:
% sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
F9A2 1197 6ED6 62F0 0E59 361E 5E3C 45D7 B312 C643
uid [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>
pub rsa2048 2010-02-11 [SC]
1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E
uid [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>
pub rsa4096 2016-02-18 [SCEA]
DB08 5A08 CA13 B8AC B917 E0F6 D938 EC0D 0386 51BD
uid [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io>
sub rsa4096 2016-02-18 [SEA]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
...
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
...
/etc/apt/trusted.gpg.d/google-chrome.gpg
----------------------------------------
...
/etc/apt/trusted.gpg.d/spotify-2022-11-14-7A3A762FAFD4A51F.gpg
--------------------------------------------------------------
pub rsa4096 2022-11-14 [SC] [expires: 2024-02-07]
E274 09F5 1D1B 6633 7F2D 2F41 7A3A 762F AFD4 A51F
uid [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>
ZshConsequently, Spotify has a key listed in the old and new format. My
guess is that this was part of some transition efforts on their part. Good for
them, as their apt
source hasn’t given me any grief.
Moving to the new keyring
With the keys listed out, you can use the last 8 characters of the key’s ID to
export the key and import it back into gpg
properly in the new format.
Firstly, if you’d like to see what we’re about to export into a file, you can run a
command like this, the key ID here is for the Dropbox key:
% sudo apt-key export 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
ZshPiping the export to gpg
goes something like this:
% sudo apt-key export 5044912E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/dropbox.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
ZshThen, I had to do this for both the Dropbox and Slack key IDs. Repeat as necessary with as many offending apt
sources as you have.
Next, you can run apt update
and the output shouldn’t mention anything about the warning:
% sudo apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:6 http://repository.spotify.com stable InRelease
Get:8 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing InRelease [1,598 B]
Ign:9 http://linux.dropbox.com/debian sid InRelease
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:7 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 49.6 kB in 2s (24.3 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
ZshLastly, we’re at the point when you can run an apt upgrade
if you’d like, assuming you have any packages waiting for you to upgrade.