apt-key deprecation warning when updating system: “Key is stored in legacy trusted.gpg keyring”

apt-key deprecation warning when updating system: “Key is stored in legacy trusted.gpg keyring”

Posted on Latest In Blogs

Addressing the apt-key Deprecation Warning: “Key is stored in legacy trusted.gpg keyring”

If you encounter the apt-key deprecation warning when updating your system, follow these steps to resolve it.

1. Open Terminal

If your terminal isn’t already open, launch it now.

2. List Existing Keys

To view the current keys stored in your system, run:

bash
sudo apt-key list

You’ll likely see a warning message similar to this:

vbnet
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Your list might look something like this:

sql
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-05-08 [SCEA]
1EDD E2CD FC02 5D17 F6DA 9EC0 ADAE 6AD2 8A8F 901A
uid [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
sub rsa4096 2017-05-08 [S]

pub rsa2048 2015-10-28 [SC]
BC52 8686 B50D 79E3 39D3 721C EB3E 94AD BE12 29CF
uid [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>

3. Export the Key

Identify the key you want to export. Use the last 8 characters of the pub code. For example, to export the Microsoft key:

bash
sudo apt-key export BE1229CF | sudo gpg --dearmor -o /usr/share/keyrings/microsoft.gpg

Note: Replace BE1229CF with the relevant value from your list.

4. Update the Apt Source File

Next, modify the apt source file corresponding to the repository. Add a signed-by tag pointing to the newly created keyring file. For example, in the Microsoft Edge repository file (/etc/apt/sources.list.d/microsoft.list), update the entry:

bash
deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge/ stable main

5. Update Apt and Confirm

Run an update to ensure the warning has been resolved:

bash
sudo apt update

You should no longer see the deprecation warning for the updated key. However, if there are still warnings for other keys, follow the same process for each one.

6. Remove the Original Key

Finally, remove the old key from the legacy keyring to clean up your system:

bash
sudo apt-key del BE1229CF

Note: Replace BE1229CF with the key you exported.

This guide helps ensure your system’s key management aligns with updated security practices.