Tag: linux

As per man 8 apt-key‘s deprecation note, the /etc/apt/trusted.gpg file managed by apt-key is now deprecated.

New keys should be added to /usr/share/keyrings is this way:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  | gpg --dearmor \
  | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg \
  > /dev/null

This key can then be used in the source definition in this way:

deb [arch=amd64 signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu jammy stable

Now, if you have a bunch of keys in /etc/apt/trusted.gpg and don’t fancy looking it up where they are from, you can do something like this:

pub   rsa2048 2014-12-29 [SC]
      37C84554E7E0A261E4F76E1ED26E6ED000654A3E
uid           [ unknown] Syncthing Release Management <release@syncthing.net>
sub   rsa2048 2014-12-29 [E]
sub   rsa4096 2015-05-11 [S] [expires: 2025-05-08]

The 37C84554E7E0A261E4F76E1ED26E6ED000654A3E in the second line is the key id.

• Decide on a filename for the key, eg. syncthing-apt.gpg
• Export the key

gpg --keyring /etc/apt/trusted.gpg --export 37C84554E7E0A261E4F76E1ED26E6ED000654A3E \
  | sudo tee /usr/share/keyrings/syncthing-apt.gpg > /dev/null

• Update the source definition by adding signed-by=/usr/share/keyrings/syncthing-apt.gpg option-value pair

--- /etc/apt/sources.list.d/syncthing-release.list.orig 2023-07-12 07:49:21.682281426 +0200
+++ /etc/apt/sources.list.d/syncthing-release.list      2024-07-04 06:40:56.628558228 +0200
@@ -1 +1 @@
-deb [arch=amd64] http://apt.syncthing.net/ syncthing release
+deb [arch=amd64 signed-by=/usr/share/keyrings/syncthing-apt.gpg] http://apt.syncthing.net/ syncthing release

• Remove the key from the old keyring

sudo gpg --keyring /etc/apt/trusted.gpg --delete-key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E

• Rinse and repeat until you added all the keys you still use

---

Inspired by: https://github.com/docker/docs/issues/11625 and https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html