Key is stored in legacy trusted.gpg keyring

Josh Sherman
5 min read
Command-line Interface Debian / Ubuntu

One of the more noticeable things to come out of me switching from Arch Linux back over to Debian, is that I’m rarely running into any issues. Because I’m not running into any weirdness, it’s been at a detriment to my blog, as my time on Arch was a constant source of blog topics.

That being said, Debian’s no saint, so I do run into things from time to time. Fortunately, they tend to be very minor, and rarely result in my system being put into a truly bad state.

Don’t get me wrong though, I did accidentally removed GNOME from a system while attempting to get Steam installed. Served me right for not thoroughly reading the message that apt was telling me!

All right, so this particular issue has been happening since my return to Debian last year. Whenever I run apt update, some of my apt sources throw a deprecation warning about the key being stored in the legacy trusted.gpg keyring.

While this was just a warning, and I’m fairly confident that the issue would end up resolving itself naturally at some point, I did want to see if I could figure out how to clear up that error and clean up the messages logged from apt as best as I could.

The error message looks something like the following:

% sudo apt update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:7 http://repository.spotify.com stable InRelease
Ign:8 http://linux.dropbox.com/debian sid InRelease
Get:9 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing  InRelease [1,598 B]
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:6 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 1,598 B in 3s (624 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

At least for me, the issue is with the apt sources for Dropbox and Slack. Fortunately, the steps to resolve this can be applied to whichever sources you’re having trouble with. You’ll simply need to swap in the values for those particular keys.

There’s an easy way to see the keys you have in the keyring, as well as which files they reside in. Anything still found in /etc/apt/trusted.gpg is going to generate the deprecation message. The new format is to store the keys in individual files in /etc/apt/trusted.gpg.d/.

To get a list of the keys, and which files they are located in, you can run apt-get list. The follow output has been cleaned up a bit for the sake of this post’s length, but I think you’ll get the idea:

% sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
      F9A2 1197 6ED6 62F0 0E59  361E 5E3C 45D7 B312 C643
uid           [ unknown] Spotify Public Repository Signing Key <[email protected]>

pub   rsa2048 2010-02-11 [SC]
      1C61 A265 6FB5 7B7E 4DE0  F4C1 FC91 8B33 5044 912E
uid           [ unknown] Dropbox Automatic Signing Key <[email protected]>

pub   rsa4096 2016-02-18 [SCEA]
      DB08 5A08 CA13 B8AC B917  E0F6 D938 EC0D 0386 51BD
uid           [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) <[email protected]>
sub   rsa4096 2016-02-18 [SEA]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
------------------------------------------------------------
...

/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
---------------------------------------------------------
...

/etc/apt/trusted.gpg.d/google-chrome.gpg
----------------------------------------
...

/etc/apt/trusted.gpg.d/spotify-2022-11-14-7A3A762FAFD4A51F.gpg
--------------------------------------------------------------
pub   rsa4096 2022-11-14 [SC] [expires: 2024-02-07]
      E274 09F5 1D1B 6633 7F2D  2F41 7A3A 762F AFD4 A51F
uid           [ unknown] Spotify Public Repository Signing Key <[email protected]>

As you probably noticed, Spotify has a key listed in the old and new format. My guess is that this was part of some transitional efforts on their part. Good for them, as their apt source hasn’t given me any grief.

With the keys listed out, you can use the last 8 character’s of the key’s ID to export the key and import it back into gpg properly in the new format.

If you’d like to see what we’re about to export into a file, you can run a command like this, the key ID here is for the Dropbox key:

% sudo apt-key export 5044912E
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

Piping the export to gpg goes something like this:

% sudo apt-key export 5044912E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/dropbox.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

I had to do this for both the Dropbox and Slack key IDs. Repeat as necessary with as many offending apt sources as you have.

When you’re done, you can run apt update and the output shouldn’t mention anything about the deprecation warning:

% sudo apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease
Hit:4 https://repo.steampowered.com/steam stable InRelease
Hit:5 http://deb.debian.org/debian bookworm-updates InRelease
Hit:6 http://repository.spotify.com stable InRelease
Get:8 http://download.opensuse.org/repositories/shells:/zsh-users:/zsh-history-substring-search/Debian_Testing  InRelease [1,598 B]
Ign:9 http://linux.dropbox.com/debian sid InRelease
Hit:10 http://linux.dropbox.com/debian sid Release
Hit:7 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Fetched 49.6 kB in 2s (24.3 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.

At this point you can run an apt upgrade if you’d like, assuming you have any upgradable packages waiting for you.

Join the Conversation

Good stuff? Want more?

Weekly emails about technology, development, and sometimes sauerkraut.

100% Fresh, Grade A Content, Never Spam.

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

Currently Reading

Parasie Eve

Previous Reads

Buy Me a Coffee Become a Sponsor

Related Articles