Table of Contents

This guide is about What is the solution of ‘apt-key is deprecated’ Warning Debian 11 or Kali Linux. So read this free guide, What is the solution of ‘apt-key is deprecated’ Warning Debian 11 or Kali Linux step by step. If you have query related to same article you may contact us.

What is the solution of ‘apt-key is deprecated’ Warning Debian 11 or Kali Linux – Guide

When trying to add an APT repository key using apt-key on Debian, Ubuntu and Linux distributions based on them, you will see the following message: “Warning: apt-key is deprecated. Instead, manage the keyring files in trusted.gpg.d (see apt-key (8)) ”.

The apt-key man page mentions that “using apt-key is deprecated, except for using apt-key del in maintainer scripts to remove existing keys from the main keyring”. Furthermore, “apt-key will be available for the last time on Debian 11 and Ubuntu 22.04.”

The reason for this change is that by adding an OpenPGP key that is used to sign an APT repository in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d, the key is unconditionally trusted by APT at all the other repositories configured on the system that do not have a signed option (see below), even the official Debian / Ubuntu repositories. As a result, any unofficial APT repository that has its signature key added to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d can replace any package on the system. Therefore, this change was made for security reasons (your security).

It’s also worth noting that although apt-key’s deprecation message says “manage keyring files in trusted.gpg.d instead”, the Debian wiki claims otherwise. That’s because adding OpenPGP keys to /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d is equally insecure, as mentioned above.

1. Download the APT repository key

According to the Debian wiki, the key should be downloaded over HTTPS to a writable location only by root, for example / usr / share / keyrings. The key name must contain a short name that describes the repository, followed by the file keyring. For example, if the repository is named myrepository, the key file would be named myrepository-archive-keyring.gpg.

The OpenPGP key file can be ASCII shielded or not. To check if a key file is protected by ascii, download the key file and run this command (note that the key extension can be .gpg, .asc, .key and probably others):

.gpg file If the output of this command looks like the following, the key is protected by ascii:

repo-key.gpg: PGP Public Key Lock Public Key (Old) That said, this is how to properly and securely download and add a repository signature key to your system:

For OpenPGP keys with ascii protection

To download using wget and add this OpenPGP key to your system, use:

wget -O- | gpg -dearmor | sudo tee /usr/share/keyrings/-archive-keyring.gpg

What everything in this command means / means:

wget downloads the key from https://example.com/key/repo-key.gpg and sends the key to stdout (-O-). Replace the URL here with the URL of the key you want to download and add it to your systemgpg –dearmor: the gpg command is the OpenPGP encryption and signature tool; its –dearmor option unpacks the input of an armorsudo tee OpenPGP ASCII /usr/share/keyrings/-archive-keyring.gpg: as superuser (sudo), read the standard input, which in this case is the output provided by gpg – dearmor, and write it to the /usr/share/keyrings/-archive-keyring.gpg file. Replace the name with a descriptive name for the repository key you are adding

Final note

I hope you like the guide What is the solution of ‘apt-key is deprecated’ Warning Debian 11 or Kali Linux. In case if you have any query regards this article you may ask us. Also, please share your love by sharing this article with your friends.

Was this article helpful?

Yes0No0