apt-key is Deprecated: Modern Methods for Securely Managing APT Repository Keys

Background and Security Risks of apt-key Deprecation

In Debian 11 and Ubuntu 22.04, the apt-key command has been marked as deprecated, meaning it will not be supported in future releases. The primary reason for this deprecation is security: when using apt-key add to add an OpenPGP key to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/, the key is unconditionally trusted for all repositories on the system that do not specify a signed-by option, including official repositories. This design allows any third-party repository to replace any package on the system, posing a significant security risk.

For example, if a user follows an old guide to add the Elasticsearch repository key with:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

the system returns a warning: Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead. Although the installation might proceed without issues, continued use of this insecure method increases the risk of system compromise.

Recommended Secure Alternative

The correct approach involves storing keys in a dedicated directory and explicitly specifying the key path in the repository configuration using the signed-by option. Here are the detailed steps:

1. Create the Key Storage Directory
   First, ensure the /etc/apt/keyrings/ directory exists with appropriate permissions. This step may not be necessary in Debian 12 and Ubuntu 22.04 or later, but it is recommended for compatibility:

   sudo mkdir -m 0755 -p /etc/apt/keyrings/

   Using mkdir -m 0755 sets directory permissions to 755 (read, write, and execute for owner; read and execute for others), preventing issues from custom umask settings.
2. Download and Convert the Key
   Use curl or wget to download the key and convert it from Base64 to binary format with gpg --dearmor for compatibility with older software. For example, for a sample key:

   curl -fsSL https://example.com/EXAMPLE.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/EXAMPLE.gpg

   Command options explained: -fsSL makes curl fail silently, follow redirects, and reduce output; --dearmor performs the format conversion; -o specifies the output file. After download, verify the file type with file /etc/apt/keyrings/EXAMPLE.gpg to ensure it is a PGP key.
3. Configure the Repository Source
   Create a repository configuration file in /etc/apt/sources.list.d/ using the signed-by option to reference the key. For example, create /etc/apt/sources.list.d/EXAMPLE.list:

   deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main

   If the repository requires specifying architecture or multiple components, expand it to:

   deb [arch=amd64 signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main contrib

   Use the tee command to write to the file:

   echo "deb [signed-by=/etc/apt/keyrings/EXAMPLE.gpg] https://example.com/apt stable main" | sudo tee /etc/apt/sources.list.d/EXAMPLE.list > /dev/null

4. Optional Steps: Remove Old Keys and Set Permissions
   If keys were previously added with apt-key, remove them to eliminate security risks. First, list all keys:

   sudo apt-key list

   Then delete a specific key using its email or fingerprint:

   sudo apt-key del support@example.com

   Additionally, if the system has custom umask or ACL settings, explicitly set file permissions:

   sudo chmod 644 /etc/apt/keyrings/EXAMPLE.gpg
   sudo chmod 644 /etc/apt/sources.list.d/EXAMPLE.list

   Permissions 644 ensure files are readable but writable only by the owner.

Modern Approach Using the DEB822 Format

DEB822 is a multi-line format available in apt since 2015, planned to become the default in Debian and Ubuntu. It is easier to read and parse, and supports embedding public keys directly in the source file.

For example, convert the one-line format to DEB822 by creating /etc/apt/sources.list.d/example.sources:

Types: deb
URIs: https://example.com/apt
Suites: stable
Components: main
Signed-By:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 .
 mI0EZWiPbwEEANPyu6pUQEydxvf2uIsuuYOernFUsQdd8GjPE5yjlxP6pNhVlqNo
 0fjB6yk91pWsoALOLM+QoBp1guC9IL2iZe0k7ENJp6o7q4ahCjJ7V/kO89mCAQ09
 yHGNHRBfbCo++bcdjOwkeITj/1KjYAfQnzH5VbfmgPfdWF4KqS/TmJP9ABEBAAG0
 G0phbmUgRG9lIDxqYW5lQGV4YW1wbGUub3JnPojMBBMBCgA2FiEEK8v49DttJG7D
 35BwcvTpbeNfCTgFAmVoj28CGwMECwkIBwQVCgkIBRYCAwEAAh4BAheAAAoJEHL0
 6W3jXwk4YLID/0arCzBy9utS8Q8g6FDtWyJVyifIvdloCvI7hqH51ZJ+Zb7ZLwwY
 /p08+Xnp4Ia0iliwqSHlD7j6M8eBy/JJORdypRKqRIbe0JQMBEcAOHbu2UCUR1jp
 jJTUnMHI0QHWQEeEkzH25og6ii8urtVGv1R2af3Bxi9k4DJwzzXc5Zch
 =8hwj
 -----END PGP PUBLIC KEY BLOCK-----

Key points: each line of the key block must be indented by at least one space, and empty lines are replaced with an indented .. This can be automated with a script:

echo "Types: deb
URIs: https://example.com/apt
Suites: stable
Components: main
Signed-By:
$(wget -O- https://example.com/EXAMPLE.gpg | sed -e 's/^$/./' -e 's/^/ /')" | sudo tee /etc/apt/sources.list.d/EXAMPLE.sources > /dev/null

Note: DEB822 format may not be fully supported in older systems like Debian 10 and Ubuntu 20.04; it is recommended for Debian 11 and Ubuntu 22.04 or later.

Summary and Best Practices

Migrating from apt-key to modern methods enhances security and simplifies repository management. Core recommendations include: always use the signed-by option to associate keys with repositories, prefer the DEB822 format for better readability and functionality, and regularly review and remove unused old keys. By following these steps, users can ensure their APT system is both secure and efficient.