Although currently while adding the GPG key on Debian 11 you will get a “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“, still we can use this method. However, there is a solution for this. And here in this article, we will see that.
OpenPGP is an open standard for a cryptographic system (encryption; digital signatures; web of trust), especially for use with e-mails. GnuPG ( Gnu Privacy Guard ) is free and open-source software (available for many operating systems) that implements the OpenPGP standard.
First method: Fix Apt-Key Deprecation Error
The Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)) appears when we use the traditional method of adding public on our system. To resolve this the first solution is to manually find the Key of the software you want to add from the legacy apt-key file and then add that to /trusted.gpg.d/ directory.
For example, here we have added MySQL repository to install Workbench and we got the error. So, to fix that, we first find the key added by it in our legacy key list. For that use the command:
sudo apt-key list
Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key. Hence, what we do is copy the last eight digits of the Pub key given for it.
Once you have copied that, use the following syntax to convert it into a GPG key and save it under the Trusted.gpg.d folder:
sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpg
In the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them. And also replace “key-name” with whatever name you want to use to save the key in GPG format. After that hit the Enter Key.
For example:
sudo apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg
Now, run the system update command…
How to Safely Add GPG key in Debian 11 or Kali Linux
We generally use the common apt-key method to add OpenPGP Keys to authenticate the packages of some third-party repositories on Debian, Ubuntu, and other similar Linux operating systems such as Linux Mint, MX Linux, and more. However, if you are using Debian 11 and while adding the key you are getting a warning the “apt-key is deprecated” then it is due to security reasons.
It is because when we add an OpenPGP key signed for some APT repository on our system, it will be trusted by APT for other configured repos even if not signed by it. Hence for security reasons, the apt-key has been decrypted.
1st Method:
This one is the easiest method to add a GPG key securely on Debian 11, Kali Linux, or other similar distros.
1. Declare a Path and give some name to your GPG Key. For example, here we are adding a GPG key for Webmin.
KEYRING=/usr/share/keyrings/webmin.gpg
Just replace “webmin” with the repo name for which you are adding the key.
2. Download and write the key on the above declared Keypath.
curl -fsSL key-path-to-download | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
Example:
curl -fsSL http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
If you don’t want to use CURL then can go for wget
wget --quiet -O - http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other.
3. That’s it. List the value of your recently added key:
gpg --no-default-keyring --keyring "$KEYRING" --list-keys
Done!!
2nd Method:
Get the APT repository key
To add the Key first we need to download it from the website of the package you are installing. For example, here we are downloading the key file to add the Webmin repository on Debian, Kali, or any other Linux.
Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other. However, the steps given here will be the same.
Install wget if you already don’t have that.
sudo apt install wget
After that use it to download the key
wget link-to download-the-key
Example:
wget http://www.webmin.com/jcameron-key.asc
Check the key is Valid
Verify the type of file is PGP Key, use the following command:
file your-downloaded.key
The result should be PGP public key block Public-Key (old).
Create a keyring
Import your downloaded key and create a Keyring.
gpg --no-default-keyring --keyring ./your-repo-name_keyring.gpg --import downloaded-key
Replace the bold items in the above command syntax:
Example:
gpg --no-default-keyring --keyring ./webmin_keyring.gpg --import jcameron-key.asc
The output of the Example command:
gpg: keybox './web_keyring.gpg' created gpg: /home/h2s/.gnupg/trustdb.gpg: trustdb created gpg: key D97A3AE911F63C51: public key "Jamie Cameron <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
Export the key
Export the Key created in the above step to make a valid key to transfer to /etc/apt/trusted.gpg.d/ or /usr/share/keyrings
gpg --no-default-keyring --keyring ./above-created-keyring.gpg --export > ./repo-name-archive-keyring.gpg
example:
gpg --no-default-keyring --keyring ./webmin_keyring.gpg --export > ./webmin-archive-keyring.gpg
Move the above-created key:
Example:
sudo mv ./webmin-archive-keyring.gpg /etc/apt/trusted.gpg.d/
Quick and Forceful Method
Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one. It is a forceful method because we are not converting keys but instead directly moving legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other way then here is the one to use:
cd /etc/apt
sudo cp trusted.gpg trusted.gpg.d
Heyan – really thank You for help, world will be excellent with people like You! all the best !