Debian 11 or Kali Linux ‘apt-key is deprecated’ Warning, here is the solution

Although currently while adding the GPG key on Debian 11 you will get a “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“, still we can use this method. However, there is a solution for this. And here in this article, we will see that.

OpenPGP is an open standard for a cryptographic system (encryption; digital signatures; web of trust), especially for use with e-mails. GnuPG ( Gnu Privacy Guard ) is free and open-source software (available for many operating systems) that implements the OpenPGP standard.

How to Safely Add GPG key in Debian 11 or Kali Linux

We generally use the common apt-key method to add OpenPGP Keys to authenticate the packages of some third-party repositories on Debian, Ubuntu, and other similar Linux operating systems such as Linux Mint, MX Linux, and more. However, if you are using Debian 11 and while adding the key you are getting a warning the “apt-key is deprecated” then it is due to security reasons.

It is because when we add OpenPGP key signed for some APT repository on our system, it will be trusted by APT for other configured repos even not signed by it. Hence for security reasons, the apt-key has been decrypted.

1st Method:

This one is the easiest method to add GPG key securely on Debian 11, Kali Linux, or other similar distros.

1. Declare a Path and give some name to your GPG Key. For example, here we are adding a GPG key for Webmin.

KEYRING=/usr/share/keyrings/webmin.gpg

Just replace “webmin” with the repo name for which you are adding the key.

 

2. Download and write the key on the above declared Key path.

curl -fsSL key-path-to-download | gpg --dearmor | sudo tee "$KEYRING" >/dev/null

Example:

curl -fsSL http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null

If you don’t want to use CURL then can go for wget

wget --quiet -O -  http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null

Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other.

 

3. That’s it. List the value of your recently added key:

gpg --no-default-keyring --keyring "$KEYRING" --list-keys

Done!!

apt key is deprecated

 

2nd Method:

Get the APT repository key

To add the Key first we need to download it from the website of the package you are installing. For example, here we are downloading the key file to add Webmin repository on Debian, Kali, or any other Linux.

Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other. However, the steps are given here will be the same.

Install wget if you already don’t have that.

sudo apt install wget

After that use it to download the key

wget link-to download-the-key

Example:

wget http://www.webmin.com/jcameron-key.asc

 

Check the key is Valid

Verify the type of file is PGP Key, use the following command:

file your-downloaded.key

The result should be PGP public key block Public-Key (old).

Check the OpenPGP key Data is Valid

 

Create a keyring

Import your downloaded key and create a Keyring.

gpg --no-default-keyring --keyring ./your-repo-name_keyring.gpg --import downloaded-key

Replace the bold items in the above command syntax:

Example:

gpg --no-default-keyring --keyring ./webmin_keyring.gpg --import jcameron-key.asc

The output of the Example command:

gpg: keybox './web_keyring.gpg' created
gpg: /home/h2s/.gnupg/trustdb.gpg: trustdb created
gpg: key D97A3AE911F63C51: public key "Jamie Cameron <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1

 

Export the key 

Export the Key created in the above step to make a valid key to transfer to /etc/apt/trusted.gpg.d/ or /usr/share/keyrings

gpg --no-default-keyring --keyring ./above-created-keyring.gpg --export > ./repo-name-archive-keyring.gpg

example:

gpg --no-default-keyring --keyring ./webmin_keyring.gpg --export > ./webmin-archive-keyring.gpg

Move the above-created key:

Example:

sudo mv ./webmin-archive-keyring.gpg /etc/apt/trusted.gpg.d/

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.