Working around ‘Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg)’

If a webpage tells you to run a command to import a GPG key when setting up an APT repository, it isn’t necessarily correct! Newer versions of Ubuntu no longer use apt-key and /etc/apt/trusted.gpg, preferring you put repository GPG keys in a file under /etc/apt/trusted.gpg.d.

Having recently reinstalled my desktop and not realising this, I had this exceedingly annoying error:

W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This is one of the kinds of errors that tells you what you shouldn’t do, and isn’t too helpful about guiding you to what you should do.

As this is an easily forgettable problem, here’s how to fix it.

First, list the keys in /etc/apt/trusted.gpg:

gpg --keyring /etc/apt/trusted.gpg --list-keys

You will see a list of keys similar to the following:

pub rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
F9A211976ED662F00E59361E5E3C45D7B312C643
uid [ unknown] Spotify Public Repository Signing Key tux@spotify.com

pub rsa4096 2013-11-19 [SC] [expires: 2027-11-11]
222B85B0F90BE2D24CFEB93F47484E50656D16C7
uid [ unknown] Keybase.io Code Signing (v1) code@keybase.io
sub rsa4096 2013-11-19 [E] [expires: 2027-11-11]

pub rsa4096 2014-01-13 [SCEA] [expired: 2019-01-12]
418A7F2FB0E1E6E7EABF6FE8C2E73424D59097AB
uid [ expired] packagecloud ops (production key) ops@packagecloud.io

pub rsa4096 2016-02-18 [SCEA]
DB085A08CA13B8ACB917E0F6D938EC0D038651BD
uid [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) support@packagecloud.io
sub rsa4096 2016-02-18 [SEA]

For each of the keys, find the key ID – the long hexadecimal string on the second line, and run the following command:

gpg --keyring /etc/apt/trusted.gpg --export <key-id> | sudo tee /etc/apt/trusted.gpg/<repository>.gpg

Finally, tidy up after yourself by deleting the key from trusted.gpg:

sudo gpg --keyring /etc/apt/trusted.gpg --delete-key <key-id>

You can even specify multiple keys on the command line.

And that’s it.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.