Diskussion:APT/Fehlerbehebung

Aus Foxwiki
Subpages:

Key is stored in legacy trusted.gpg keyring

If you see an apt-key deprecated warning when you run apt update on Ubuntu and want to fix it, you’re in the right place

In this post I walk you (and myself) through the process

  • See, after I followed the steps to install TeamViewer on Ubuntu I noticed the following error every time I run apt update
W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details

Though undesired, the warning does not prevent updating or upgrading the system

  • You can ignore it without any ill effect and, for a day or two, so that’s what I did
  • And if you stick to GUI update methods you won’t hear about tahe error at all

But it’s annoying, and hey: the warning is showing for a reason

  • While I’m not going to get in to the reasons why apt key add was deprecated here (there are some excellent explanations elsewhere on the web) but I am going to show you to solve it

Fix Apt-Key Deprecation Error

Fixing the apt-key deprecation error on Ubuntu can be done a number of ways

Method 1: the sensible way

The recommended method from AskUbuntu is as follows

  • First, open a new Terminal window and then look inside your legacy apt-key file by running this command
# apt-key list

Depending on your system you may see a couple of entries appear or a veritable avalanche

Scroll through the list carefully

  • Pay attention to how things are laid out
  • Find the section that mentions the package listed in the initial warning (if you see multiple warnings you will need to repeat these steps for each one in turn)

In my case I’m looking for the key related to TeamViewer, and it looks like this

pub rsa4096 2020-01-29 [SC]
8CAE 012E BFAC 38B1 7A93 7CD8 C5E2 2450 0C12 89C0
uid [ unknown] TeamViewer Germany GmbH (TeamViewer Linux 2020) <support@teamviewer.com>

Copy the last 8 characters from the second line — in the example above this is 0C12 89C0 — and convert it to a .gpg file using the command below

  • Remember to drop the space between the 8 characters and specify a gpg file name that is relevant to the package the key is for

In my example I had to run

# apt-key export 0C1289C0 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/teamviewer.gpg

Once you’ve constructed your command hit enter …That’s all you need to do

When you next run an apt update the deprecated key error will no longer appear for the repo you just applied (though if you have more than one repo affected, you’ll need to repeat the steps above for each one)

Find this method too involved?

Method 2: the quick way

The “recommended” way to fix apt key deprecations errors on Ubuntu is the method detailed above

  • But there is a “quick and dirty” fix

While the method below worked for I should stress that a) your milage may vary and b) it’s not the smart way to solve this issue as, depending on the legacy keys on your system, it could compromise your system’s security

If you’re happy to throw caution to the wind open a new Terminal window and run

cd /etc/apt

Followed by

# cp trusted.gpg trusted.gpg.d

Enter your password as prompted and hit enter to apply

When you next run apt update the error in question will no longer appear

Wenn Sie beim Ausführen von apt update unter Ubuntu die Warnung apt-key deprecated sehen und dies beheben wollen, sind Sie hier richtig

In diesem Beitrag führe ich Sie (und mich) durch den Prozess

  • Nachdem ich die Schritte zur Installation von TeamViewer unter Ubuntu befolgt hatte, bemerkte ich jedes Mal, wenn ich apt update ausführe, den folgenden Fehler

W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details

Obwohl die Warnung unerwünscht ist, verhindert sie nicht die Aktualisierung oder das Upgrade des Systems

  • Sie können sie ignorieren, ohne dass dies irgendwelche negativen Auswirkungen hat, und das habe ich auch getan
  • Und wenn Sie sich an die Aktualisierungsmethoden der grafischen Benutzeroberfläche halten, werden Sie von dem Fehler überhaupt nichts mitbekommen

Aber es ist ärgerlich, und hey: die Warnung wird aus einem bestimmten Grund angezeigt

  • Ich werde hier nicht auf die Gründe eingehen, warum apt key add veraltet ist (es gibt einige ausgezeichnete Erklärungen an anderer Stelle im Web), aber ich werde Ihnen zeigen, wie Sie das Problem lösen können

Apt-Key Deprecation-Fehler beheben

Die Behebung des apt-key Deprecation-Fehlers unter Ubuntu kann auf verschiedene Arten erfolgen

Methode 1: der vernünftige Weg

Die von AskUbuntu empfohlene Methode ist wie folgt. Öffnen Sie zunächst ein neues Terminal-Fenster und schauen Sie dann in Ihre alte apt-key-Datei, indem Sie diesen Befehl ausführen

sudo apt-key list

Abhängig von Ihrem System können Sie ein paar Einträge sehen oder eine wahre Lawine

Blättern Sie sorgfältig durch die Liste

  • Achten Sie darauf, wie die Dinge angeordnet sind
  • Suchen Sie den Abschnitt, in dem das Paket erwähnt wird, das in der ersten Warnung aufgeführt ist (wenn Sie mehrere Warnungen sehen, müssen Sie diese Schritte für jede einzelne wiederholen)

In meinem Fall suche ich nach dem Schlüssel für TeamViewer, und der sieht wie folgt aus

pub rsa4096 2020-01-29 [SC]

8CAE 012E BFAC 38B1 7A93 7CD8 C5E2 2450 0C12 89C0

uid [ unbekannt] TeamViewer Deutschland GmbH (TeamViewer Linux 2020) <support@teamviewer.com>

Kopieren Sie die letzten 8 Zeichen aus der zweiten Zeile - im obigen Beispiel ist dies 0C12 89C0 - und konvertieren Sie sie mit dem folgenden Befehl in eine .gpg-Datei

  • Denken Sie daran, das Leerzeichen zwischen den 8 Zeichen wegzulassen und einen gpg-Dateinamen anzugeben, der zu dem Paket passt, für das der Schlüssel bestimmt ist

In meinem Beispiel musste ich Folgendes ausführen

sudo apt-key export 0C1289C0 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/teamviewer.gpg

Sobald Sie Ihren Befehl erstellt haben, drücken Sie die Eingabetaste ..

  • Das ist alles, was Sie tun müssen

Wenn Sie das nächste Mal ein apt-Update ausführen, wird der Fehler "veraltete Schlüssel" für das soeben angewandte Repository nicht mehr angezeigt (wenn allerdings mehr als ein Repository betroffen ist, müssen Sie die obigen Schritte für jedes einzelne wiederholen)

Finden Sie diese Methode zu kompliziert?

Methode 2: Der schnelle Weg

Der "empfohlene" Weg, um apt key deprecations Fehler unter Ubuntu zu beheben, ist die oben beschriebene Methode

  • Aber es gibt auch eine "schnelle und schmutzige" Lösung

Auch wenn die unten beschriebene Methode funktioniert hat, sollte ich betonen, dass a) Ihre Erfahrungen variieren können und b) es nicht der klügste Weg ist, dieses Problem zu lösen, da es, abhängig von den alten Schlüsseln auf Ihrem System, die Sicherheit Ihres Systems gefährden könnte

Wenn Sie alle Vorsicht in den Wind schlagen wollen, öffnen Sie ein neues Terminalfenster und führen Sie aus

cd /etc/apt

Gefolgt von

sudo cp trusted.gpg trusted.gpg.d

Geben Sie Ihr Passwort nach Aufforderung ein und drücken Sie die Eingabetaste, um den Vorgang abzuschließen

Wenn Sie das nächste Mal apt update ausführen, wird der betreffende Fehler nicht mehr erscheinen

Solve: Legacy trusted.gpg keyring – ‘apt-key’ Deprecation on Ubuntu

Solve APT key warning on Ubuntu 22.04 or in other latest versions: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

If we want to install some software on Ubuntu Linux that is not present in the official repository, then we need to use the repository or binary of that tool

  • However, the repository method is preferable because of future updates
  • To add any third-party repository we also need to add a new GnuPG key / public key issued by the developers of the packages we want to install
  • It helps the system to confirm the packages we are receiving are the same as those published by its developers
  • Otherwise, the system would not have a relationship of trust – the installation of packages from untrusted sources would be rejected

Earlier the public key is usually downloaded and passed directly to apt-key add, for example till Ubuntu 20.04

  • However, with Ubuntu in later versions of Ubuntu such as 22.04 LTS, this method has been deprecated
  • Although yet keys added using the old method in Debian 11 or Ubuntu 22.04 are only marked as deprecated and therefore still available
  • But in the next major version of these OS, this would be removed as well

So why is apt-key deprecated?

The reason why apt-key is deprecated is the way of handling the keys

  • Earlier we use the apt-key command to add a new third-party key in a file called trusted.gpg which also holds the keys of the default system repository as well.  However, that is not an issue
  • Although adding keys individually in trusted.gpg.d directory under /etc/apt/ for now will remove the error of apt-key deprecated but if we go by security perspective both are doing the same thing
  • Keys once added either in trusted.gpg or under a directory trusted.gpg.d, the APT will consider them as Trusted ones and gives them the ability to replace any package of the system; which weakens the security of the system

Hence, it would be better if a key is only accepted for the associated repository

  • So a 1:1 relationship, instead of a general, unconditional relationship of trust
  • For this reason, apt-key has been marked as obsolete to switch to this new method
  • That is the reason why we are getting an APT-key deprecated warning

Well, currently to remove the warning we can simply save our keys trusted.gpg.d folder

  • However, we will also discuss the right way to convert and create a Key to use

Contents hide

How to Fix Warning: apt-key is deprecated in Ubuntu 22.04 Linux

Check APT-Key List

Create a GnuPG key for trusted.gpg.d

Create a Keyrings folder

Export the created key

Point the created key to use only for the added Repo

3rd Method: Quick and Forceful Method

apt-key is deprecated

1st Method
Create a GnuPG file using the existing Key

Check APT-Key List

If after adding some repository and its GnuPG key using the add-apt key method you start getting a warning of Key deprecated then on your terminal, first list the available keys

  • For that use the given command
# apt-key list

You will see a list of all added keys trusted on your system

  • Now, find the software repository key that is creating a problem
  • For example, here in our case, we have added a PUP key of the MySQL repository that started giving the warning

Create a GnuPG key for trusted.gpg.d

Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key

  • Hence, what we do is – copy the last eight digits of the Pub key given for it

Once we have copied that, use the following syntax to convert it into a GnuPG key and save it under the Trusted.gpg.d folder:sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpgIn the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them

  • And also replace “key-name” with whatever name you want to use to save the key in GnuPG format
  • After that hit the Enter Key

For example:

# apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg

Now, run the system update command…

# apt update


#2nd Method: Create a GnuPG key only accepted for the associated repository

Create a Keyrings folder

First of all, you need a folder: /etc/apt/trusted.gpg.d should not be used, but a separate folder

  • This is freely selectable, a useful path could be e.g. /usr/local/share/keyrings or already available one /usr/share/keyrings
# mkdir /usr/local/share/keyrings

Next, we need the PGP public key that we want to add to our system for a particular repository

  • So, fi, first download it as a file
  • Also, before going further check the file, whether it is really a PGP key

for example:

wget -q -O key.gpg link-to-key

Replace link-to-key with the actual URL to download the key you want to use with the repository

To show you how? Let’s download the key of Webmin to use it with its repository

wget -q -O key.gpg http://www.webmin.com/jcameron-key.asc

Check whether the key is valid or not

file key.gpg

Output:key.gpg: PGP public key block Public-Key (old)Note: Don’t be confused by old, “PGP public key block Public-Key (old)” is fine

Now we need to create a key ring that we can pass to APT

gpg --no-default-keyring --keyring ./tmp.gpg --import key.gpg

Export the created key:

gpg --no-default-keyring --keyring ./tmp.gpg --export --output webmin-key.gpg

Remove the temporary keys:

rm tmp.gpg key.gpg

webmin-key.gpg is the final key, we need to move to the Keyrings folder or Trusted.gpg.d we have created

If you move the key the to Trusted.gpg.d folder then you don’t need to point your repository manually to the key location

  • However, security wise the problem will be the same
  • APT will trust this key for all packages

Point the created key to use only for the added Repo

Hence, to solve this and let APT trust the created key only for packages getting from a single repository of Webmin

  • Move it to the folder we have created
# mv webmin-key.gpg /usr/local/share/keyrings

Go to the repository file for which you have added the GnuPG key and edit the same. For example, here we are using the Webmin repo file

  • For that, we need to edit the /etc/apt/sources.list.d/webmin.list
  • In the same way, you have to edit your software repo file. And point the repo URL link to the created Key

Syntax:deb [arch=amd64 signed-by= created-key-path] package-repository-urlExample:

deb [signed-by=/usr/local/share/keyrings/webmin-key.gpg] https://download.webmin.com/download/repository sarge contrib

Of course, this must be adjusted according to the architecture, the path you have chosen, and the package source URL

Now you can update the package sources normally via sudo apt update so that apt can load the package index from the newly added repository

  • Your APT will trust the key for the added repository packages not for the whole system

3rd Method: Quick and Forceful Method

Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one.  It is a forceful method because we are not converting keys but instead directly moving legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other quick way for your Legacy key hen here is the one to use

cd /etc/apt
# cp trusted.gpg trusted.gpg.d