Got an error pop-up “Key is stored in legacy trusted.gpg keyring” in Update Manager of Linux Mint 21? Here’s why and how to fix.
In Linux Mint 21, after adding a PPA either via ‘Software Sources‘ utility or
add-apt-repository command. You’ll get an error pop-up when click on ‘Refresh’ in Update Manager utility, says something look like:
W:http://ppa.launchpad.net/maintainer-id/ppa-name/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg) see the DEPRECATION section in apt-key (8) for details.
Why You See The Error:
This is definitely the issue of “apt-key is deprecated“! The upstream Debian changed the rule of adding third-party repositories, to make software sources more secure!
Previously, user can add a third-party repository by simply adding source URL into a config file, and put the key file into ‘
/etc/apt/trusted.gpg.d/‘. Your system will trust the packages signed by any key file under that directory.
Now, Debian changed the rules! The keys MUST NOT be placed in “
/etc/apt/trusted.gpg.d“. Instead, user should place them in ‘
/usr/share/keyrings‘ (or ‘
/user/local/share/keyrings‘ for choice). All 3-party software sources should have a “signed-by=/PATH/TO/KEY” section in their config files. So, a key file can be used ONLY for specified software source.
Ubuntu PPA (via launchpad.net) is the top popular third-party sources, that many software developers (such as Inkscape and LibreOffice) use it to publish the latest packages. Canonical, the company behind Ubuntu, has de-armored the PPA keys to un-readable garbled text to follow Debian policy. But, Ubuntu 22.04 still store them in ‘
/etc/apt/trusted.gpg.d‘ as it’s still working so far.
Linux Mint 21 functions a bit different to Ubuntu 22.04. It puts the keys in neither place when adding PPAs, which cause the error in both Update Manager and terminal output (indeed a Waring).
How to Fix the Error:
As mentioned it’s a definitely warning, lazy men can even ignore as it still works. Though, all PPA keys will be single ‘/etc/apt/trusted.gpg’ file.
Until the upstream fixed the
add-apt-repository command (or even replace it) to follow Debian policy, user can follow the step below to solve the issue manually.
Step 1: Put the key to right place
Firstly, press Ctrl+Alt+T on keyboard to open terminal. When terminal opens, run commands:
- Navigate to ‘/etc/apt’ directory:
- There you can see the key file created while adding PPA. Just move it to ‘/usr/share/keyrings’ directory and rename according your PPA name:
sudo mv trusted.gpg /usr/share/keyrings/PPA_NAME.gpg
Type user password when it asks for sudo authentication and hit Enter.
Step 2: Add ‘signed-by’ section in source file.
Next, run command in terminal to navigate to the sources directory, where stores the config files for all 3-party software sources:
Edit the config file for the PPA you just added (it’s Grub Customizer in my case):
sudo xed file_name_here.list
Replace xed with other text editor, such as nano, if you're NOT on Linux Mint.
Finally, add ‘signed-by’ section in the config file right after “deb” and before “http” url. So the file content will look like:
deb [signed-by=/usr/share/keyrings/xxx.gpg] http_url codename main
After saving the change, open “Update Manager” and click Refresh. Or run the command to update cache in terminal:
sudo apt update