Diskussion:APT/Fehlerbehebung
Key is stored in legacy trusted.gpg keyring
If you see an apt-key deprecated warning when you run apt update on Ubuntu and want to fix it, you’re in the right place
In this post I walk you (and myself) through the process
- See, after I followed the steps to install TeamViewer on Ubuntu I noticed the following error every time I run
apt update
W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details
Though undesired, the warning does not prevent updating or upgrading the system
- You can ignore it without any ill effect and, for a day or two, so that’s what I did
- And if you stick to GUI update methods you won’t hear about tahe error at all
But it’s annoying, and hey: the warning is showing for a reason
- While I’m not going to get in to the reasons why apt key add was deprecated here (there are some excellent explanations elsewhere on the web) but I am going to show you to solve it
Fix Apt-Key Deprecation Error
Fixing the apt-key deprecation error on Ubuntu can be done a number of ways
Method 1: the sensible way
The recommended method from AskUbuntu is as follows
- First, open a new Terminal window and then look inside your legacy apt-key file by running this command
# apt-key list
Depending on your system you may see a couple of entries appear or a veritable avalanche
Scroll through the list carefully
- Pay attention to how things are laid out
- Find the section that mentions the package listed in the initial warning (if you see multiple warnings you will need to repeat these steps for each one in turn)
In my case I’m looking for the key related to TeamViewer, and it looks like this
pub rsa4096 2020-01-29 [SC] 8CAE 012E BFAC 38B1 7A93 7CD8 C5E2 2450 0C12 89C0 uid [ unknown] TeamViewer Germany GmbH (TeamViewer Linux 2020) <support@teamviewer.com>
Copy the last 8 characters from the second line — in the example above this is 0C12 89C0
— and convert it to a .gpg
file using the command below
- Remember to drop the space between the 8 characters and specify a
gpg
file name that is relevant to the package the key is for
In my example I had to run
# apt-key export 0C1289C0 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/teamviewer.gpg
Once you’ve constructed your command hit enter
…That’s all you need to do
When you next run an apt update
the deprecated key error will no longer appear for the repo you just applied (though if you have more than one repo affected, you’ll need to repeat the steps above for each one)
Find this method too involved?
Method 2: the quick way
The “recommended” way to fix apt key deprecations errors on Ubuntu is the method detailed above
- But there is a “quick and dirty” fix
While the method below worked for I should stress that a) your milage may vary and b) it’s not the smart way to solve this issue as, depending on the legacy keys on your system, it could compromise your system’s security
If you’re happy to throw caution to the wind open a new Terminal window and run
cd /etc/apt
Followed by
# cp trusted.gpg trusted.gpg.d
Enter your password as prompted and hit enter
to apply
When you next run apt update
the error in question will no longer appear
Wenn Sie beim Ausführen von apt update unter Ubuntu die Warnung apt-key deprecated sehen und dies beheben wollen, sind Sie hier richtig
In diesem Beitrag führe ich Sie (und mich) durch den Prozess
- Nachdem ich die Schritte zur Installation von TeamViewer unter Ubuntu befolgt hatte, bemerkte ich jedes Mal, wenn ich apt update ausführe, den folgenden Fehler
W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details
Obwohl die Warnung unerwünscht ist, verhindert sie nicht die Aktualisierung oder das Upgrade des Systems
- Sie können sie ignorieren, ohne dass dies irgendwelche negativen Auswirkungen hat, und das habe ich auch getan
- Und wenn Sie sich an die Aktualisierungsmethoden der grafischen Benutzeroberfläche halten, werden Sie von dem Fehler überhaupt nichts mitbekommen
Aber es ist ärgerlich, und hey: die Warnung wird aus einem bestimmten Grund angezeigt
- Ich werde hier nicht auf die Gründe eingehen, warum apt key add veraltet ist (es gibt einige ausgezeichnete Erklärungen an anderer Stelle im Web), aber ich werde Ihnen zeigen, wie Sie das Problem lösen können
Apt-Key Deprecation-Fehler beheben
Die Behebung des apt-key Deprecation-Fehlers unter Ubuntu kann auf verschiedene Arten erfolgen
Methode 1: der vernünftige Weg
Die von AskUbuntu empfohlene Methode ist wie folgt. Öffnen Sie zunächst ein neues Terminal-Fenster und schauen Sie dann in Ihre alte apt-key-Datei, indem Sie diesen Befehl ausführen
sudo apt-key list
Abhängig von Ihrem System können Sie ein paar Einträge sehen oder eine wahre Lawine
Blättern Sie sorgfältig durch die Liste
- Achten Sie darauf, wie die Dinge angeordnet sind
- Suchen Sie den Abschnitt, in dem das Paket erwähnt wird, das in der ersten Warnung aufgeführt ist (wenn Sie mehrere Warnungen sehen, müssen Sie diese Schritte für jede einzelne wiederholen)
In meinem Fall suche ich nach dem Schlüssel für TeamViewer, und der sieht wie folgt aus
pub rsa4096 2020-01-29 [SC]
8CAE 012E BFAC 38B1 7A93 7CD8 C5E2 2450 0C12 89C0
uid [ unbekannt] TeamViewer Deutschland GmbH (TeamViewer Linux 2020) <support@teamviewer.com>
Kopieren Sie die letzten 8 Zeichen aus der zweiten Zeile - im obigen Beispiel ist dies 0C12 89C0 - und konvertieren Sie sie mit dem folgenden Befehl in eine .gpg-Datei
- Denken Sie daran, das Leerzeichen zwischen den 8 Zeichen wegzulassen und einen gpg-Dateinamen anzugeben, der zu dem Paket passt, für das der Schlüssel bestimmt ist
In meinem Beispiel musste ich Folgendes ausführen
sudo apt-key export 0C1289C0 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/teamviewer.gpg
Sobald Sie Ihren Befehl erstellt haben, drücken Sie die Eingabetaste ..
- Das ist alles, was Sie tun müssen
Wenn Sie das nächste Mal ein apt-Update ausführen, wird der Fehler "veraltete Schlüssel" für das soeben angewandte Repository nicht mehr angezeigt (wenn allerdings mehr als ein Repository betroffen ist, müssen Sie die obigen Schritte für jedes einzelne wiederholen)
Finden Sie diese Methode zu kompliziert?
Methode 2: Der schnelle Weg
Der "empfohlene" Weg, um apt key deprecations Fehler unter Ubuntu zu beheben, ist die oben beschriebene Methode
- Aber es gibt auch eine "schnelle und schmutzige" Lösung
Auch wenn die unten beschriebene Methode funktioniert hat, sollte ich betonen, dass a) Ihre Erfahrungen variieren können und b) es nicht der klügste Weg ist, dieses Problem zu lösen, da es, abhängig von den alten Schlüsseln auf Ihrem System, die Sicherheit Ihres Systems gefährden könnte
Wenn Sie alle Vorsicht in den Wind schlagen wollen, öffnen Sie ein neues Terminalfenster und führen Sie aus
cd /etc/apt
Gefolgt von
sudo cp trusted.gpg trusted.gpg.d
Geben Sie Ihr Passwort nach Aufforderung ein und drücken Sie die Eingabetaste, um den Vorgang abzuschließen
Wenn Sie das nächste Mal apt update ausführen, wird der betreffende Fehler nicht mehr erscheinen
Solve: Legacy trusted.gpg keyring – ‘apt-key’ Deprecation on Ubuntu
Solve APT key warning on Ubuntu 22.04 or in other latest versions: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
If we want to install some software on Ubuntu Linux that is not present in the official repository, then we need to use the repository or binary of that tool
- However, the repository method is preferable because of future updates
- To add any third-party repository we also need to add a new GnuPG key / public key issued by the developers of the packages we want to install
- It helps the system to confirm the packages we are receiving are the same as those published by its developers
- Otherwise, the system would not have a relationship of trust – the installation of packages from untrusted sources would be rejected
Earlier the public key is usually downloaded and passed directly to apt-key add, for example till Ubuntu 20.04
- However, with Ubuntu in later versions of Ubuntu such as 22.04 LTS, this method has been deprecated
- Although yet keys added using the old method in Debian 11 or Ubuntu 22.04 are only marked as deprecated and therefore still available
- But in the next major version of these OS, this would be removed as well
So why is apt-key deprecated?
The reason why apt-key is deprecated is the way of handling the keys
- Earlier we use the apt-key command to add a new third-party key in a file called trusted.gpg which also holds the keys of the default system repository as well. However, that is not an issue
- Although adding keys individually in trusted.gpg.d directory under
/etc/apt/
for now will remove the error of apt-key deprecated but if we go by security perspective both are doing the same thing - Keys once added either in trusted.gpg or under a directory trusted.gpg.d, the APT will consider them as Trusted ones and gives them the ability to replace any package of the system; which weakens the security of the system
Hence, it would be better if a key is only accepted for the associated repository
- So a 1:1 relationship, instead of a general, unconditional relationship of trust
- For this reason, apt-key has been marked as obsolete to switch to this new method
- That is the reason why we are getting an APT-key deprecated warning
Well, currently to remove the warning we can simply save our keys trusted.gpg.d folder
- However, we will also discuss the right way to convert and create a Key to use
Contents hide
How to Fix Warning: apt-key is deprecated in Ubuntu 22.04 Linux
Check APT-Key List
Create a GnuPG key for trusted.gpg.d
Create a Keyrings folder
Export the created key
Point the created key to use only for the added Repo
3rd Method: Quick and Forceful Method
apt-key is deprecated
- 1st Method
- Create a GnuPG file using the existing Key
Check APT-Key List
If after adding some repository and its GnuPG key using the add-apt key method you start getting a warning of Key deprecated then on your terminal, first list the available keys
- For that use the given command
# apt-key list
You will see a list of all added keys trusted on your system
- Now, find the software repository key that is creating a problem
- For example, here in our case, we have added a PUP key of the MySQL repository that started giving the warning
Create a GnuPG key for trusted.gpg.d
Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key
- Hence, what we do is – copy the last eight digits of the Pub key given for it
Once we have copied that, use the following syntax to convert it into a GnuPG key and save it under the Trusted.gpg.d folder:sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpgIn the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them
- And also replace “key-name” with whatever name you want to use to save the key in GnuPG format
- After that hit the Enter Key
For example:
# apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg
Now, run the system update command…
# apt update
#2nd Method: Create a GnuPG key only accepted for the associated repository
Create a Keyrings folder
First of all, you need a folder: /etc/apt/trusted.gpg.d should not be used, but a separate folder
- This is freely selectable, a useful path could be e.g. /usr/local/share/keyrings or already available one /usr/share/keyrings
# mkdir /usr/local/share/keyrings
Next, we need the PGP public key that we want to add to our system for a particular repository
- So, fi, first download it as a file
- Also, before going further check the file, whether it is really a PGP key
for example:
wget -q -O key.gpg link-to-key
Replace link-to-key with the actual URL to download the key you want to use with the repository
To show you how? Let’s download the key of Webmin to use it with its repository
wget -q -O key.gpg http://www.webmin.com/jcameron-key.asc
Check whether the key is valid or not
file key.gpg
Output:key.gpg: PGP public key block Public-Key (old)Note: Don’t be confused by old, “PGP public key block Public-Key (old)” is fine
Now we need to create a key ring that we can pass to APT
gpg --no-default-keyring --keyring ./tmp.gpg --import key.gpg
Export the created key:
gpg --no-default-keyring --keyring ./tmp.gpg --export --output webmin-key.gpg
Remove the temporary keys:
rm tmp.gpg key.gpg
webmin-key.gpg
is the final key, we need to move to the Keyrings folder or Trusted.gpg.d we have created
If you move the key the to Trusted.gpg.d folder then you don’t need to point your repository manually to the key location
- However, security wise the problem will be the same
- APT will trust this key for all packages
Point the created key to use only for the added Repo
Hence, to solve this and let APT trust the created key only for packages getting from a single repository of Webmin
- Move it to the folder we have created
# mv webmin-key.gpg /usr/local/share/keyrings
Go to the repository file for which you have added the GnuPG key and edit the same. For example, here we are using the Webmin repo file
- For that, we need to edit the /etc/apt/sources.list.d/webmin.list
- In the same way, you have to edit your software repo file. And point the repo URL link to the created Key
Syntax:deb [arch=amd64 signed-by= created-key-path] package-repository-urlExample:
deb [signed-by=/usr/local/share/keyrings/webmin-key.gpg] https://download.webmin.com/download/repository sarge contrib
Of course, this must be adjusted according to the architecture, the path you have chosen, and the package source URL
Now you can update the package sources normally via sudo apt update so that apt can load the package index from the newly added repository
- Your APT will trust the key for the added repository packages not for the whole system
3rd Method: Quick and Forceful Method
Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one. It is a forceful method because we are not converting keys but instead directly moving legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other quick way for your Legacy key hen here is the one to use
cd /etc/apt # cp trusted.gpg trusted.gpg.d