How to get rid of the warning when updating apt-get update "W: key is stored in legacy trusted.gpg keyring"?

October

2023

How to get rid of the warning when updating apt-get update "W: key is stored in legacy trusted.gpg keyring"?

Linux

25 October 2023 16:15

If third-party repositories are connected to the Linux operating system, when updating packages you may receive the error message "Key is stored in legacy trusted.gpg keyring".

Reason for this warning

In several recent versions of Ubuntu and Linux Mint, the use of the apt-key program, which added the repository key to a single repository, is being abandoned. Which is outdated (legacy), although it has not lost compatibility, but it is not recommended to use it. Instead of the "old" keystore /etc/apt/trusted.gpg, следует использовать новые хранилища ключей GPG для каждого из репозиториев, в папке: /etc/apt/trusted.gpg.d.

Solving the problem

We know the name of the repository (written in the error message when apt-get update). In this case it is dl.winehq.org
Using the sudo apt-key list command, we find out the hexadecimal code of the repository signature

sudo apt-key list

you have to search with your eyes by name. The following lines are visible:
------------------------------------------------ pub rsa3072 2018-12-10 [SC] D43F 6401 4536 9C51 D786 DDEA 76F1 A20F F987 672F uid [unknown] WineHQ packages wine-devel@winehq.org

I find out the signature code - the last 8 characters of the full GPG key code.

From the code D43F 6401 4536 9C51 D786 DDEA 76F1 A20F F987 672F I take the last 8 characters and remove the space.
It turned out F987672F.

I import a new repository into a GPG file using a one-line command:

sudo apt-key export F987672F | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/wine-hq.gpg

where I use apt-key only to export a key with fingerprint F987672F

For other programs, the example command must be corrected accordingly. You only need to replace the export key code and the destination file name.

For example, for the Yandex browser, the signature will be stored in the /etc/apt/trusted.gpg.d/ folder in the file yandex-browser.gpg:

sudo apt-key export 083A7A9A | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/yandex-browser.gpg

How to avoid the error recurring when adding third-party repositories

Any use of the command should be avoided sudo apt-key, such as:
sudo apt-key import файл_ключа.key or
wget -qO- <URL> | sudo apt-key add -
*curl -sS <URL>.gpg | sudo apt-key add -

*sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 00000000

The adv key is deprecated, as stated in the man.
Team sudo apt-key add outdated.

The correct (new) way to add a repository key using the example of the WineHQ repository:

If the key is on the server:

wget  -qO- https://dl.winehq.org/wine-builds/winehq.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/winehq.gpg  > /dev/null

If public key located in the cryptographic key database on the server keyserver.ubuntu.com:

First team imports the key into the local database:

gpg --keyserver keyserver.ubuntu.com --recv E084DAB9

Second team exports the key and adds it to the private some.gpg store:

gpg --export E084DAB9  | sudo tee /etc/apt/trusted.gpg.d/some.gpg  > /dev/null

where E084DAB9 is the public key fingerprint, some.gpg is the user-generated GPG keystore file name.

Check that gpg generated the correct file:

file /etc/apt/trusted.gpg.d/some.gpg

The output should show that we have a file in the OpenPGP binary certificate format:

/etc/apt/trusted.gpg.d/some.gpg: OpenPGP Public Key Version 4, Created Mon Dec 10 16:56:24 2018, RSA (Encrypt or Sign, 3072 bits); User ID; Signature; OpenPGP Certificate

After importing the key, you can run the command as usual apt-add-repository and installing the program, for example:
sudo apt-add-repository 'https://dl.winehq.org/wine-builds/ubuntu/ main'
sudo apt update
sudo apt install wine

The correct way to solve problem No. 2 (taken from the OpenVPN installation instructions)

Download the repo-public.gpg key from the site and add it to the keyring /usr/share/keyrings/openvpn-public.gpg

curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg --dearmor -o /usr/share/keyrings/openvpn-public.gpg

In this method, curl is used instead of wget, the -o parameter is used instead of tee, and /usr/share/keyrings/ is used instead of the /etc/apt/trusted.gpg.d/ folder.

In the data source description file for the third-party software repository Ubuntu Linux 22 "Jammy" we indicate the imported GPG key with which the repository is signed

sudo echo "deb [arch=amd64 signed-by=/usr/share/keyrings/openvpn-public.gpg] https://build.openvpn.net/debian/openvpn/stable jammy main" > /etc/apt/sources.list.d/openvpn-repo.list

Here in the file in sources.list.d a mention of the key is added [arch=amd64 signed-by=/usr/share/keyrings/openvpn-public.gpg] from the gpg keychain.

Which folder is best to store gpg keys?

(Addendum dated November 24, 2023)

Where is the correct place to store keys - in the /etc/apt/trusted.gpg.d/ folder or in /usr/share/keyrings?

The man sources.list instruction answers this question this way:

"The recommended locations for storing keys are /usr/share/keyrings for package-managed keyrings, and /etc/apt/keyrings for sysop-managed keyrings. If keyring files are not specified, the default is the trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (...)"

So there is no direct guidance on how to properly store gpg keys. Logical keys for repositories apt place in a folder /etc/apt/trusted.gpg.d/, тогда как наборы ключей для других целей можно помещать в /usr/share/keyrings. Если стоит цель - сохранить ключи при переустановке системы, то следует использовать папку ~/.local/share/keyrings, in which the user's private keys can be stored.

Sources:

Solving the problem "W: "The key is stored in Legacy Trusted.GPG Keyring""
*Example of using curl, GPG and sources.list.d to install OpenVPN

Blog about Radio and Linux