Although currently while adding the GPG key on Debian 11 you will get a “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“, still we can use this method. However, there is a solution for this. And here in this article, we will see that.
OpenPGP is an open standard for a cryptographic system (encryption; digital signatures; web of trust), especially for use with e-mails. GnuPG ( Gnu Privacy Guard ) is free and open-source software (available for many operating systems) that implements the OpenPGP standard.
Contents
How to Safely Add GPG key in Debian 11 or Kali Linux
We generally use the common apt-key method to add OpenPGP Keys to authenticate the packages of some third-party repositories on Debian, Ubuntu, and other similar Linux operating systems such as Linux Mint, MX Linux, and more. However, if you are using Debian 11 and while adding the key you are getting a warning the “apt-key is deprecated” then it is due to security reasons.
It is because when we add OpenPGP key signed for some APT repository on our system, it will be trusted by APT for other configured repos even not signed by it. Hence for security reasons, the apt-key has been decrypted.
1st Method:
This one is the easiest method to add GPG key securely on Debian 11, Kali Linux, or other similar distros.
1. Declare a Path and give some name to your GPG Key. For example, here we are adding a GPG key for Webmin.
KEYRING=/usr/share/keyrings/webmin.gpg
Just replace “webmin” with the repo name for which you are adding the key.
2. Download and write the key on the above declared Key path.
curl -fsSL key-path-to-download | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
Example:
curl -fsSL http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
If you don’t want to use CURL then can go for wget
wget --quiet -O - http://www.webmin.com/jcameron-key.asc | gpg --dearmor | sudo tee "$KEYRING" >/dev/null
Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other.
3. That’s it. List the value of your recently added key:
gpg --no-default-keyring --keyring "$KEYRING" --list-keys
Done!!
2nd Method:
Get the APT repository key
To add the Key first we need to download it from the website of the package you are installing. For example, here we are downloading the key file to add Webmin repository on Debian, Kali, or any other Linux.
Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other. However, the steps are given here will be the same.
Install wget if you already don’t have that.
sudo apt install wget
After that use it to download the key
wget link-to download-the-key
Example:
wget http://www.webmin.com/jcameron-key.asc
Check the key is Valid
Verify the type of file is PGP Key, use the following command:
file your-downloaded.key
The result should be PGP public key block Public-Key (old).
Create a keyring
Import your downloaded key and create a Keyring.
gpg --no-default-keyring --keyring ./your-repo-name_keyring.gpg --import downloaded-key
Replace the bold items in the above command syntax:
Example:
gpg --no-default-keyring --keyring ./webmin_keyring.gpg --import jcameron-key.asc
The output of the Example command:
gpg: keybox './web_keyring.gpg' created gpg: /home/h2s/.gnupg/trustdb.gpg: trustdb created gpg: key D97A3AE911F63C51: public key "Jamie Cameron <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
Export the key
Export the Key created in the above step to make a valid key to transfer to /etc/apt/trusted.gpg.d/ or /usr/share/keyrings
gpg --no-default-keyring --keyring ./above-created-keyring.gpg --export > ./repo-name-archive-keyring.gpg
example:
gpg --no-default-keyring --keyring ./webmin_keyring.gpg --export > ./webmin-archive-keyring.gpg
Move the above-created key:
Example:
sudo mv ./webmin-archive-keyring.gpg /etc/apt/trusted.gpg.d/
