APT Key Deprecation Errors — apt-key Is Deprecated Fix for Ubuntu/Debian
About APT Key Deprecation Errors
Fix APT key deprecation warnings and errors when adding third-party repositories on Ubuntu and Debian after apt-key was deprecated in favor of signed-by. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: apt-key was deprecated in Debian 11 and Ubuntu 22.04 — it added keys globally for all repos. The new method uses per-repository keys stored in /etc/apt/keyrings/ or /usr/share/keyrings/. Sources now use the signed-by option in .sources files or .list files to reference specific keys. Warning: 'Key is stored in legacy trusted.gpg keyring' means the key needs migration. Third-party repo installation scripts may still use the deprecated method. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Third-party repository instructions using deprecated apt-key add command. Keys added with apt-key stored in /etc/apt/trusted.gpg (global, less secure). Repository .list file not using signed-by to reference the specific key. Old repository configuration not updated after OS upgrade. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Create keyrings directory: sudo mkdir -p /etc/apt/keyrings. Download key to keyrings: curl -fsSL https://repo.example.com/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/example.gpg. Add repo with signed-by: echo 'deb [signed-by=/etc/apt/keyrings/example.gpg] https://repo.example.com/apt stable main' | sudo tee /etc/apt/sources.list.d/example.list. Migrate existing keys: export from trusted.gpg with apt-key export <keyid> and save to /etc/apt/keyrings/. Remove from legacy keyring: sudo apt-key del <keyid> after migration. Update: sudo apt update to verify no key warnings. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why was apt-key deprecated?
apt-key added keys to a global trust store, meaning any key could authenticate any repository. The new signed-by method ties each key to a specific repository, improving security.
Overview
Fix APT key deprecation warnings and errors when adding third-party repositories on Ubuntu and Debian after apt-key was deprecated in favor of signed-by.
Key Details
- apt-key was deprecated in Debian 11 and Ubuntu 22.04 — it added keys globally for all repos
- The new method uses per-repository keys stored in /etc/apt/keyrings/ or /usr/share/keyrings/
- Sources now use the signed-by option in .sources files or .list files to reference specific keys
- Warning: 'Key is stored in legacy trusted.gpg keyring' means the key needs migration
- Third-party repo installation scripts may still use the deprecated method
Common Causes
- Third-party repository instructions using deprecated apt-key add command
- Keys added with apt-key stored in /etc/apt/trusted.gpg (global, less secure)
- Repository .list file not using signed-by to reference the specific key
- Old repository configuration not updated after OS upgrade
Steps
- 1Create keyrings directory: sudo mkdir -p /etc/apt/keyrings
- 2Download key to keyrings: curl -fsSL https://repo.example.com/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/example.gpg
- 3Add repo with signed-by: echo 'deb [signed-by=/etc/apt/keyrings/example.gpg] https://repo.example.com/apt stable main' | sudo tee /etc/apt/sources.list.d/example.list
- 4Migrate existing keys: export from trusted.gpg with apt-key export <keyid> and save to /etc/apt/keyrings/
- 5Remove from legacy keyring: sudo apt-key del <keyid> after migration
- 6Update: sudo apt update to verify no key warnings