If a webpage tells you to run a command to import a GPG key when setting up an APT repository, it isn’t necessarily correct! Newer versions of Ubuntu no longer use
/etc/apt/trusted.gpg, preferring you put repository GPG keys in a file under
Having recently reinstalled my desktop and not realising this, I had this exceedingly annoying error:
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
This is one of the kinds of errors that tells you what you shouldn’t do, and isn’t too helpful about guiding you to what you should do.
As this is an easily forgettable problem, here’s how to fix it.
First, list the keys in
gpg --keyring /etc/apt/trusted.gpg --list-keys
You will see a list of keys similar to the following:
pub rsa4096 2021-10-27 [SC] [expires: 2023-01-20]
uid [ unknown] Spotify Public Repository Signing Key email@example.com
pub rsa4096 2013-11-19 [SC] [expires: 2027-11-11]
uid [ unknown] Keybase.io Code Signing (v1) firstname.lastname@example.org
sub rsa4096 2013-11-19 [E] [expires: 2027-11-11]
pub rsa4096 2014-01-13 [SCEA] [expired: 2019-01-12]
uid [ expired] packagecloud ops (production key) email@example.com
pub rsa4096 2016-02-18 [SCEA]
uid [ unknown] https://packagecloud.io/slacktechnologies/slack (https://packagecloud.io/docs#gpg_signing) firstname.lastname@example.org
sub rsa4096 2016-02-18 [SEA]
For each of the keys, find the key ID – the long hexadecimal string on the second line, and run the following command:
gpg --keyring /etc/apt/trusted.gpg --export <key-id> | sudo tee /etc/apt/trusted.gpg/<repository>.gpg
Finally, tidy up after yourself by deleting the key from
sudo gpg --keyring /etc/apt/trusted.gpg --delete-key <key-id>
You can even specify multiple keys on the command line.
And that’s it.