APT Key Deprecation Errors — apt-key Is Deprecated Fix for Ubuntu/Debian

Overview

Fix APT key deprecation warnings and errors when adding third-party repositories on Ubuntu and Debian after apt-key was deprecated in favor of signed-by.

Key Details

• apt-key was deprecated in Debian 11 and Ubuntu 22.04 — it added keys globally for all repos
• The new method uses per-repository keys stored in /etc/apt/keyrings/ or /usr/share/keyrings/
• Sources now use the signed-by option in .sources files or .list files to reference specific keys
• Warning: 'Key is stored in legacy trusted.gpg keyring' means the key needs migration
• Third-party repo installation scripts may still use the deprecated method

Common Causes

• Third-party repository instructions using deprecated apt-key add command
• Keys added with apt-key stored in /etc/apt/trusted.gpg (global, less secure)
• Repository .list file not using signed-by to reference the specific key
• Old repository configuration not updated after OS upgrade

Steps

1. 1Create keyrings directory: sudo mkdir -p /etc/apt/keyrings
2. 2Download key to keyrings: curl -fsSL https://repo.example.com/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/example.gpg
3. 3Add repo with signed-by: echo 'deb [signed-by=/etc/apt/keyrings/example.gpg] https://repo.example.com/apt stable main' | sudo tee /etc/apt/sources.list.d/example.list
4. 4Migrate existing keys: export from trusted.gpg with apt-key export <keyid> and save to /etc/apt/keyrings/
5. 5Remove from legacy keyring: sudo apt-key del <keyid> after migration
6. 6Update: sudo apt update to verify no key warnings

Tags

Related Items

More in Package Manager

Frequently Asked Questions