Josh Sherman

Key is stored in legacy trusted.gpg keyring

by

Josh Sherman
in

One of the more apparent things to come out of moving from Arch Linux back over to Debian, is that I’m rarely running into any issues. Because I’m not running into any gotchas, it’s been harder to come up with content for my blog, as my time on Arch was a constant source of topics.

That being said, Debian’s no saint, so I do run into things from time to time.
Fortunately, they tend to be very minor, and rarely result in my system being
put into a truly bad state.

Don’t get me wrong though, I did accidentally removed GNOME from a system while trying to get Steam added. Served me right for not thoroughly reading the message that apt was telling me!

All right, so this particular issue has been happening since my return to Debian
last year. Whenever I run apt update, some of my apt sources throw a
warning about the key being stored in the legacy trusted.gpg keyring.

While this was just a warning, and I’m fairly confident that the issue would end
up fixing itself naturally at some point, I did want to see if I could figure
out how to clear up that error and clean up the messages logged from apt as
best as I could.

The error message looks something like the following:

% sudo apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:7 http://repository.spotify.com stable InRelease
Ign:8 http://linux.dropbox.com/debian sid InRelease
Get:9 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing  InRelease [1,598 B]
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:6 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 1,598 B in 3s (624 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Zsh

At least for me, the issue is with the apt sources for Dropbox and Slack.
Fortunately, the steps to resolve this can be applied to whichever sources
you’re having trouble with. You’ll simply need to swap in the values for those
particular keys.

Checking the legacy keyring

Luckily, there’s an easy way to see the keys you have in the keyring, as well as which files they reside in. Anything still found in /etc/apt/trusted.gpg is going to generate the deprecation message. The new format is to store the keys in individual files in /etc/apt/trusted.gpg.d/.

To get a list of the keys, and which files they are located in, you can run
apt-get list. The follow output has been cleaned up a bit for the sake of this post’s length, but I think you’ll get the idea:

% sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
      F9A2 1197 6ED6 62F0 0E59  361E 5E3C 45D7 B312 C643
uid           [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>

pub   rsa2048 2010-02-11 [SC]
      1C61 A265 6FB5 7B7E 4DE0  F4C1 FC91 8B33 5044 912E
uid           [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>

pub   rsa4096 2016-02-18 [SCEA]
      DB08 5A08 CA13 B8AC B917  E0F6 D938 EC0D 0386 51BD
uid           [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) <support@packagecloud.io>
sub   rsa4096 2016-02-18 [SEA]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
...

/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
...

/etc/apt/trusted.gpg.d/google-chrome.gpg
----------------------------------------
...

/etc/apt/trusted.gpg.d/spotify-2022-11-14-7A3A762FAFD4A51F.gpg
--------------------------------------------------------------
pub   rsa4096 2022-11-14 [SC] [expires: 2024-02-07]
      E274 09F5 1D1B 6633 7F2D  2F41 7A3A 762F AFD4 A51F
uid           [ unknown] Spotify Public Repository Signing Key <tux@spotify.com>
Zsh

Consequently, Spotify has a key listed in the old and new format. My
guess is that this was part of some transition efforts on their part. Good for
them, as their apt source hasn’t given me any grief.

Moving to the new keyring

With the keys listed out, you can use the last 8 characters of the key’s ID to
export the key and import it back into gpg properly in the new format.

Firstly, if you’d like to see what we’re about to export into a file, you can run a
command like this, the key ID here is for the Dropbox key:

% sudo apt-key export 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
Zsh

Piping the export to gpg goes something like this:

% sudo apt-key export 5044912E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/dropbox.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Zsh

Then, I had to do this for both the Dropbox and Slack key IDs. Repeat as necessary with as many offending apt sources as you have.

Next, you can run apt update and the output shouldn’t mention anything about the warning:

% sudo apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:6 http://repository.spotify.com stable InRelease
Get:8 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing  InRelease [1,598 B]
Ign:9 http://linux.dropbox.com/debian sid InRelease
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:7 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 49.6 kB in 2s (24.3 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
Zsh

Lastly, we’re at the point when you can run an apt upgrade if you’d like, assuming you have any packages waiting for you to upgrade.

Josh Sherman - The Man, The Myth, The Avatar

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

If you found this article helpful, please consider buying me a coffee.