How do I add repo gpg keys as apt-key is deprecated?
After one of my recent updates, I noticed that my 3rd party repos were failing to update due to the NO_PUBKEY
error from apt. I looked for hours to find a fix, but all fixes suggest using apt-key. However, that no longer works because it has been deprecated. So I manually copied one repo's keys from /usr/share/keyrings
to /etc/apt/trusted.gpg.d
as a test and that seems to work. Now everything works for that app.
My question is: is there a new function to download keys from a keyserver instead of the apt-key
function? Most sites have not realized this change and offer the apt-key
command for their repo keys and that just returns errors now. And how to update my current third party repo keys as only they have the problem? Should I manually cp
the keys as I mentioned above, or is there a more efficient solution?
EDIT: I am on 20.10. Apt-key works for 20.04 but not after that.
$ sudo apt update
Err:9 http://repo.vivaldi.com/stable/deb stable Release.gpg
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.vivaldi.com/stable/deb stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Failed to fetch http://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Some index files failed to download. They have been ignored, or old ones used instead.
apt-key
never downloaded keys by itself. apt-key adv
passed on options to gpg
, and gpg
did the actual downloading (apt-key
is a complicated shell script that itself creates temporary scripts to run gpg
). You can still use gpg
to import keys, e.g. instead of apt-key adv --recv-keys
, you'd do something like:
sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/foo.gpg --recv-keys 9658E8044A3AA3D6
Or instead of wget ... | apt-key add -
:
wget -qO - https://example.com/somekey.gpg |
sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/example.gpg --import -
Notes:
- GnuPG will create trust stores in root's home directory. Use
--homedir
with some other part if you want to avoid that. - GnuPG creates keyrings in the new keybox format by default, and these don't work with
apt
, but using thegnupg-ring:
prefix makes it uses the old format for some reason.
If your software already had keyrings installed in /usr/share/keyrings
, then presumably their sources.list
entries should have had something like [signed-by=/usr/share/keyrings/foo.gpg]
(cf. the Debian Wiki).