apt-key is Deprecated! Here’s Right Way to Add Third-Party Repository in Debian & Ubuntu

We install many app packages from third-party software sources in Debian & Ubuntu Linux. However, when adding repository keys it may indicate that “apt-key is deprecated“. Here’s how to fix the warning and use the correct way to install OpenGPG keys.

Why apt-key is deprecated?

We used to use apt-key add command to add a new key into /etc/apt/trusted.gpg.d/ directory. It makes system to accept signatures from the third-party key-holder on all other repositories in the system. Which means any third-party repository whose key is in there can replace any package in whole system.

It’s a big security risk. Debian decides to use “signed-by” option instead for each third-party repository. So, it will accept the signature for only the signed repository. And, apt-key will be working though with warnings last in Debian 11 / Ubuntu 22.04.

How to Correctly Add GPG Key:

The right way is storing the key files under /usr/share/keyrings (in this tutorial, I’ll use “/usr/local/share/keyrings” instead for easy management), then add “signed-by” option for the third-party repositories. Though, the ASCII-armored keys need to be de-armored first.

1. Verify if it is an ASCII-armored key

There are different type of GPG file extensions: .asc, .key, .gpg, and more. Assume that I’m going to download the key for Opera web browser:

wget http://deb.opera.com/archive.key -O opera.key

After downloading the key file, you may verify via command:

file opera.key

The ASCII-armored key will output something look like “PGP public key block Public-Key (old)“. Open the file, you’ll see it starts with “—-BEGIN PGP PUBLIC KEY BLOCK—-“.

—–BEGIN PGP PUBLIC KEY BLOCK—–



—–END PGP PUBLIC KEY BLOCK—–

This is an ASCII-armored key file.

2. Convert ASCII-armored key to recommend GPG:

For the armored key, you need to run command in terminal to de-armor it:

gpg --output opera.gpg --dearmor opera.key

It will generate the new “opera.gpg” key file. And, verify it again via “file opera.gpg” command will output something look like:

PGP/GPG key public ring (v4) created Wed Jun 23 17:01:52 2021 RSA (Encrypt or Sign) 4096 bits MPI=0xea762980afd9ab0a…

And open the new key, you’ll see un-readable garbled text.

un-armor the “ascii-armored” key file

3. Put the key file to the right place:

You can finally put the new generated key file to the “/usr/share/keyrings” or “/usr/local/share/keyrings”.

Here I’m going to create the directory (in case it’s not exist), and move the key into there via command:

sudo mkdir -p /usr/local/share/keyrings
sudo mv opera.gpg /usr/local/share/keyrings
Put the GPG key to /usr/local/share/keyrings

To be simple, you may run the single command instead of the preview steps to install an ASCII-armored key:

wget -O - <https://example.com/key/repo-key.asc/gpg/key> | gpg --dearmor | sudo tee /usr/local/share/keyrings/<repo-key>.gpg

or use curl command:

curl <https://example.com/key/repo-key.asc/gpg/key> | gpg --dearmor | sudo dd of=/usr/local/share/keyrings/<repo-key>.gpg

In my case, the command will be (/usr/local/share/keyrings have to be created first):

wget -O - http://deb.opera.com/archive.key | gpg --dearmor | sudo tee /usr/local/share/keyrings/opera.gpg

Install the not armored key file:

If the key file is no armored file, simply put it into the location will do the trick. You can do this step by step, or run single command to download the file directly to the place:

sudo wget <https://example.com/key/repo-key.gpg> -O /usr/local/share/keyrings/<repo-key>.gpg

Add “signed-by” option to third-party repository:

After adding the key correctly, run command to create and edit the repository file:

sudo nano /etc/apt/sources.list.d/opera.list

Then write the line below into it:

Please replace the repository line and path-to-key file accordingly.

deb [signed-by=/usr/local/share/keyrings/opera.key] http://deb.opera.com/opera-stable/ stable non-free

Add ‘signed-by’ option to repository

Finally press Ctrl+X, type y and hit Enter to save the file.

Set Package Priority:

To prevent from upgrading already installed packages from official repositories, user may set a lower package priority for the third-party repositories.

Firstly, run command to create and config the preferences file:

sudo nano /etc/apt/preferences.d/opera.pref

When it opens, paste the line below:

Package: *
Pin: origin deb.opera.com
Pin-Priority: 100

Set “Pin-Priority” to 100 allows to perform upgrade of packages only installed from that repository. You may set it 1, to allow to install packages from the repository but forbid automated upgrades.

And for the “Pin” value, run command below to tell:

sudo apt update && apt-cache policy

That’s all. Enjoy!

Exit mobile version