One of the more noticeable things to come out of me switching from Arch Linux back over to Debian, is that I’m rarely running into any issues. Because I’m not running into any weirdness, it’s been at a detriment to my blog, as my time on Arch was a constant source of blog topics.
That being said, Debian’s no saint, so I do run into things from time to time. Fortunately, they tend to be very minor, and rarely result in my system being put into a truly bad state.
Don’t get me wrong though, I did accidentally removed GNOME from a system while
attempting to get Steam installed. Served me right for not thoroughly reading
the message that apt
was telling me!
All right, so this particular issue has been happening since my return to Debian
last year. Whenever I run apt update
, some of my apt
sources throw a
deprecation warning about the key being stored in the legacy trusted.gpg
keyring.
While this was just a warning, and I’m fairly confident that the issue would end
up resolving itself naturally at some point, I did want to see if I could figure
out how to clear up that error and clean up the messages logged from apt
as
best as I could.
The error message looks something like the following:
% sudo apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:7 http://repository.spotify.com stable InRelease
Ign:8 http://linux.dropbox.com/debian sid InRelease
Get:9 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing InRelease [1,598 B]
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:6 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 1,598 B in 3s (624 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
At least for me, the issue is with the apt
sources for Dropbox and Slack.
Fortunately, the steps to resolve this can be applied to whichever sources
you’re having trouble with. You’ll simply need to swap in the values for those
particular keys.
There’s an easy way to see the keys you have in the keyring, as well as which
files they reside in. Anything still found in /etc/apt/trusted.gpg
is going to
generate the deprecation message. The new format is to store the keys in
individual files in /etc/apt/trusted.gpg.d/
.
To get a list of the keys, and which files they are located in, you can run
apt-get list
. The follow output has been cleaned up a bit for the sake of this
post’s length, but I think you’ll get the idea:
% sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
F9A2 1197 6ED6 62F0 0E59 361E 5E3C 45D7 B312 C643
uid [ unknown] Spotify Public Repository Signing Key <[email protected]>
pub rsa2048 2010-02-11 [SC]
1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912E
uid [ unknown] Dropbox Automatic Signing Key <[email protected]>
pub rsa4096 2016-02-18 [SCEA]
DB08 5A08 CA13 B8AC B917 E0F6 D938 EC0D 0386 51BD
uid [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) <[email protected]>
sub rsa4096 2016-02-18 [SEA]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
...
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
...
/etc/apt/trusted.gpg.d/google-chrome.gpg
----------------------------------------
...
/etc/apt/trusted.gpg.d/spotify-2022-11-14-7A3A762FAFD4A51F.gpg
--------------------------------------------------------------
pub rsa4096 2022-11-14 [SC] [expires: 2024-02-07]
E274 09F5 1D1B 6633 7F2D 2F41 7A3A 762F AFD4 A51F
uid [ unknown] Spotify Public Repository Signing Key <[email protected]>
As you probably noticed, Spotify has a key listed in the old and new format. My
guess is that this was part of some transitional efforts on their part. Good for
them, as their apt
source hasn’t given me any grief.
With the keys listed out, you can use the last 8 character’s of the key’s ID to
export the key and import it back into gpg
properly in the new format.
If you’d like to see what we’re about to export into a file, you can run a command like this, the key ID here is for the Dropbox key:
% sudo apt-key export 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
Piping the export to gpg
goes something like this:
% sudo apt-key export 5044912E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/dropbox.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
I had to do this for both the Dropbox and Slack key IDs. Repeat as necessary
with as many offending apt
sources as you have.
When you’re done, you can run apt update
and the output shouldn’t mention
anything about the deprecation warning:
% sudo apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:6 http://repository.spotify.com stable InRelease
Get:8 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing InRelease [1,598 B]
Ign:9 http://linux.dropbox.com/debian sid InRelease
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:7 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 49.6 kB in 2s (24.3 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
At this point you can run an apt upgrade
if you’d like, assuming you have any
upgradable packages waiting for you.