Thomas Weigold

Homepage & Blog out of the life of a computer scientist

Debian Bookworm New Advanced Package Tool (APT) GPG-Keys Handling

October 15, 2023

Since more than 2 months Debian has released a new version of his well-known OS. Since this release many people told me, that they get warnings during the package update process using “apt” (Advanced Package Tool).

The reason behind this warning is a deprecation note for the old gpg-key storage location. The old storage location referred to a system-wide file/folder (/etc/apt/trusted.gpg[.d/]), which is then used for all APT archive servers and not for a single one. This could lead to a dangerous situation, if a trusted signing key is lost and packages signed with this key are uploaded to a used archive server.

For dealing with this issue, a new key usage strategy has been introduced, which specifies to store gpg public key files to a new folder: “/etc/apt/keyrings/”. Inside the custom source files the “signed-by” instruction has to be used e. g.:

$ cat /etc/apt/sources.list.d/rspamd.list

deb [signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ bookworm main

Excerpt from the man page (man 8 apt-key):

Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not managed by packages. When using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also be used to include the full ASCII armored keyring directly in the sources.list without an additional file.

To make the migration to the new key format easier, the following command can be used e. g.:

wget -O- https://download.docker.com/linux/debian/gpg | gpg --dearmor | tee /etc/apt/keyrings/docker.gpg

Don’t forget to validate the remote system that the key is not a fake one :D