Fix ‘Update Manager’ Refresh Error After Adding PPA in Linux Mint 21

UPDATE: Linux Mint 21.1 has fixed the issue, according to the release note.

Got an error pop-up “Key is stored in legacy trusted.gpg keyring” in Update Manager of Linux Mint 21? Here’s why and how to fix.

In Linux Mint 21, after adding a PPA either via ‘Software Sources‘ utility or add-apt-repository command. You’ll get an error pop-up when click on ‘Refresh’ in Update Manager utility, says something look like:

W: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg) see the DEPRECATION section in apt-key (8) for details.

Why You See The Error:

This is definitely the issue of “apt-key is deprecated“! The upstream Debian changed the rule of adding third-party repositories, to make software sources more secure!

Previously, user can add a third-party repository by simply adding source URL into a config file, and put the key file into ‘/etc/apt/trusted.gpg.d/‘. Your system will trust the packages signed by any key file under that directory.

Now, Debian changed the rules! The keys MUST NOT be placed in “/etc/apt/trusted.gpg.d“. Instead, user should place them in ‘/usr/share/keyrings‘ (or ‘/user/local/share/keyrings‘ for choice). All 3-party software sources should have a “signed-by=/PATH/TO/KEY” section in their config files. So, a key file can be used ONLY for specified software source.

Ubuntu PPA (via is the top popular third-party sources, that many software developers (such as Inkscape and LibreOffice) use it to publish the latest packages. Canonical, the company behind Ubuntu, has de-armored the PPA keys to un-readable garbled text to follow Debian policy. But, Ubuntu 22.04 still store them in ‘/etc/apt/trusted.gpg.d‘ as it’s still working so far.

Linux Mint 21 functions a bit different to Ubuntu 22.04. It puts the keys in neither place when adding PPAs, which cause the error in both Update Manager and terminal output (indeed a Waring).

How to Fix the Error:

As mentioned it’s a definitely warning, lazy men can even ignore as it still works. Though, all PPA keys will be single ‘/etc/apt/trusted.gpg’ file.

Until the upstream fixed the add-apt-repository command (or even replace it) to follow Debian policy, user can follow the step below to solve the issue manually.

Step 1: Put the key to right place

Firstly, press Ctrl+Alt+T on keyboard to open terminal. When terminal opens, run commands:

    • Navigate to ‘/etc/apt’ directory:
      cd /etc/apt
    • There you can see the key file created while adding PPA. Just move it to ‘/usr/share/keyrings’ directory and rename according your PPA name:
      sudo mv trusted.gpg /usr/share/keyrings/PPA_NAME.gpg

Type user password when it asks for sudo authentication and hit Enter.

Move and rename the key file to right place

Step 2: Add ‘signed-by’ section in source file.

Next, run command in terminal to navigate to the sources directory, where stores the config files for all 3-party software sources:

cd /etc/apt/sources.list.d/

Edit the config file for the PPA you just added (it’s Grub Customizer in my case):

sudo xed file_name_here.list
Replace xed with other text editor, such as nano, if you're NOT on Linux Mint.

Finally, add ‘signed-by’ section in the config file right after “deb” and before “http” url. So the file content will look like:

deb [signed-by=/usr/share/keyrings/xxx.gpg] http_url codename main

After saving the change, open “Update Manager” and click Refresh. Or run the command to update cache in terminal:

sudo apt update

That’s all.

Hi, I'm Merilyn Ne, a computer geek working on Ubuntu Linux for many years and would like to write useful tips for beginners. Forgive me for language mistakes. I'm not a native speaker of English.