Keys for apt repositories should nowadays be pinned to specific repositories by using signed-by (ideally in deb822 format) under the guise of improved security. And apt-key has been removed because it does not support managing keys in individual files. I wonder how big the effect of this improvement ultimately is - given the following scenario: 1. An attacker gains control of one of the configured repositories 2. He adds a malicious version of eg. base-files or another essential package with a backdoor and a higher version than in the installed base OS version. 3. On all machines that have this repository configured, the next apt update; apt upgrade will happily install this package over the official system packages without hesitation or warning. So key pinning does not achieve much here – aside from providing some means for better hygiene in apt key management. On the other hand it looks very legit and feels rather secure (which is bad if it actually isn't). Is this observation correct? Or am I fundamentally missing the point of apt key pinning?

I have been able to update my system and suddenly I am getting an error

Unknown error executing apt-key

and I have no idea what caused it. Also when I attempt any query of the key I get an error

/usr/bin/apt-key: 710: touch: Too many levels of symbolic links

which I have never gotten on any of the systems on this network and all run the same image.

I upgraded our Debian kernel from Buster to Bullseye on our device. However, when trying to update our custom Debian packages from our s3 using apt repo, I now receive a message that the repository doesn't have a Release file. However it is in the repo and another device on Buster can still get the updates successfully. Aptly version 1.4.0 was used to publish the Debian packages to the s3 bucket. Our Buster device is using gpg (GnuPG) 2.2.12 with libcrypt 1.8.4 and the Bullseye device is using gpg (GnuPG) 2.2.27 with libcrypt 1.8.8. I have tried to manually pull the Release file and load it into the trusted.gpg.d in Bullseye. It appears to work. The key is listed as expected but I still receive the error. I've tried to pull the public key and run it through --dearmor and copy into the trusted.gpg.d. Again everything looks like it should work but doesn't. What am I missing here?

The following warning message appears during my apt-get update && apt-get upgrade procedure on Linux Mint 21: > W: https://repo.skype.com/deb/dists/stable/InRelease : Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. I searched through the Microsoft Skype download section mentioning absolutely nothing about their keys or how to manage them. Is there a solution to this?

I have just come across an article describing process of installing containerD runtime and I'm a little dubious about the command mentioned, maybe a typo but I want to get clarity on it. The command is as follows curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.lis Now as far as I know the apt-key add - is used to add the key and the contents are read from the piped standard output for which - is there but what about the echo after it, if this is a separate command shouldn't it be separated by || or a semicolon ;? I know the command is fetching key from the repo and then updating the apt sources list but I'm confused about the syntax of the command.

I'm trying to get wine. I've been doing instructions from https://wiki.winehq.org/Ubuntu and on sudo apt update I've seen "E: The repository 'cdrom ..." with red "E". Just several minutes before in output of sudo apt update it was ordinary white same as the rest of output. Between "normal" and red the only commands I did were downloading w/out install sudo apt-get install -d somepackage and ones from the wine page. I wanted to revisit/recheck what I've done and now only after history and cat /etc/apt/sources.list.d/winehq-jammy.sources output of sudo apt update is all white again. Any idea what happened? What caused the colored output to apprear? I'm wary of glitches in the system I use, I want to find out the cause. Web search for colored output of apt found some solutions involving scripts etc., how adding sources and keys resulted in transient color? TL;DR Links found: https://askubuntu.com/questions/445245/how-do-i-enable-fancy-apt-colours-and-progress-bars https://unix.stackexchange.com/questions/167828/format-terminal-output-to-show-apt-get-upgrade-errors-in-red Terminal contents (actually more commands than I mentioned ealier, still no idea how that resulted in color): 35 sudo apt-get update 36 sudo apt-get install -d somepackage 37 eval $(apt-config shell CACHE Dir::Cache) 38 eval $(apt-config shell ARCHIVES Dir::Cache::archives) 39 # from man bash: 40 # brace { after $ "serve to protect the variable to be expanded from characters immediately following it which could be interpreted as part of the name." 41 debs_cache_folder=/${CACHE}/${ARCHIVES} 42 echo $debs_cache_folder 43 ls echo $debs_cache_folder 44 ls echo $debs_cache_folder | wc 45 sudo apt-get clean ... same install -d / ls wc / clean for several other packages 54 sudo dpkg --add-architecture i386 55 sudo mkdir -pm755 /etc/apt/keyrings 56 sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key 57 sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources 58 sudo apt update 59 history ~/Downloads$ cat /etc/apt/sources.list.d/ cat: /etc/apt/sources.list.d/: Is a directory ~/Downloads$ cat /etc/apt/sources.list.d/ official-package-repositories.list winehq-jammy.sources ~/Downloads$ cat /etc/apt/sources.list.d/winehq-jammy.sources Types: deb URIs: https://dl.winehq.org/wine-builds/ubuntu Suites: jammy Components: main Architectures: amd64 i386 Signed-By: /etc/apt/keyrings/winehq-archive.key

I can not add the gpg key for apt repository into keychain. But I can add it through the gpg --import When I try to add it with apt-key add, it just doesn't appear there, and I get no obvious error: curl -sSL https://deb.********.com/pubkey.gpg | apt-key add - gpg: key 8D81803C0EBFCD88: "Docker Release (CE deb) " not changed gpg: key 7C3D57159FC2F927: "InfluxData Package Signing Key " not changed gpg: key 1285491434D8786F: "Dell Inc., PGRE 2012 (PG Release Engineering Build Group 2012) " not changed gpg: key D8FF8E1F7DF8B07E: doesn't match our copy gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key gpg: Total number processed: 8 gpg: skipped new keys: 4 gpg: unchanged: 3 Then I check the key with apt-key list, and it is still not there. I noticed this behavior, when my ansible playbook stopped working (because it can't add the key with apt_key module). Any thoughts ?

Since apt-key is now deprecated, I have exported and copied all of my package keys to the gpg folder and updated the corresponding /sources.list.d/* accordingly by adding the [signed-by=/usr/share/keyrings/.gpg] field. However, after every reboot, something is effectively undoing this change for Slack by re-adding its key to apt-key and deleting the signed-by from its /sources.list.d/slack.list. I know this because when I perform $ sudo apt-get update, I see the following output: > W: > https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease : > Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), > see the DEPRECATION section in apt-key(8) for details. This forces me to re-do all of my work. How do I stop either Slack, or whatever process responsible, from doing this?

https://superuser.com/a/931814/ says > Here follows an example command to use the GnuPG package's gpg command > to receive a key (-recv-keys) with the fingerprint 7CE8FC69BE118222: > > $ gpg --recv-keys 7CE8FC69BE118222 Are a key and its fingerprint different concepts? From manpage of apt-key: > apt-key export > > Output the key keyid to standard output. Are a key and its keyid different concepts? Are the keyid and fingerprint of a key the same concept? For example, we can first retrieve the key with

-shell
gpg --keyserver keyserver.ubuntu.com --recv-key E298A3A825C0D65DFD57CBB651716619E084DAB9

and then feed it to apt-key with

-shell
gpg -a --export E298A3A825C0D65DFD57CBB651716619E084DAB9 | sudo apt-key add -

Is E298A3A825C0D65DFD57CBB651716619E084DAB9 a key, the keyid of a key, or the fingerprint of a key? Why does it still work if I replace E298A3A825C0D65DFD57CBB651716619E084DAB9 with 51716619E084DAB9?

If i run sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1655A0AB68576280 i get gpg: conversmon from '�t�-8' to &UTF-8' not evailable. segmentation fault (This is the original message copy-pasted) Edit: If i execute gpg i get the same error with the same text. Got gnupg version: 2.2.27-2+deb11u2 os-release and uname -a: Raspbian GNU/Linux 11 (bullseye) Linux 6.1.19-v7+ #1637 SMP armv7l GNU/Linux I have already searched the internet and can only find "change your locale to UTF-8" but i already have UTF-8.: LANG=en_GB.UTF-8 I have tried importing the key manually over file. But got everytime this gpg error. I got this error while trying to install zigbee2mqtt on my RaspberryPi.

I try to upgrade jenkins. I use the new way to use gpg keys:

wget https://pkg.jenkins.io/debian-stable/jenkins.io.key  
gpg --dearmor jenkins.io.key
mv jenkins.io.key.gpg /usr/share/keyrings/jenkins-keyring.asc

cat /etc/apt/sources.list.d/jenkins.list

deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable  binary/

apt-key:

apt-key list | grep -i jenkins # nothing

# file /usr/share/keyrings/jenkins-keyring.asc
/usr/share/keyrings/jenkins-keyring.asc: PGP/GPG key public ring (v4) created Mon Mar 30 15:10:17 2020 RSA (Encrypt or Sign) 4096 bits MPI=0x99a14538d6e6150d...

But when I run apt update:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://pkg.jenkins.io/debian-stable  binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5
W: Failed to fetch https://pkg.jenkins.io/debian-stable/binary/Release.gpg   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FCEF32E745F2C3D5
W: Some index files failed to download. They have been ignored, or old ones used instead.

What's wrong?

I've tried all methods published in older questions, such as adding from ubuntu.keyserver, using gpg, from hkp://pool.sks-keyservers.net:80 etc, any ideas ¿? gpg: gpg --recv-keys 0E61D3BBAAEE37FE gpg: recepción del servidor de claves fallida: No data ubuntu keyserver: Executing: /tmp/apt-key-gpghome.zPtWaE6tzD/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 0E61D3BBAAEE37FE gpg: recepción del servidor de claves fallida: No data pool.sks-keyserver: sudo apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0E61D3BBAAEE37FE Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). Executing: /tmp/apt-key-gpghome.qLLaSgFMSM/gpg.1.sh --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 0E61D3BBAAEE37FE gpg: recepción del servidor de claves fallida: Server indicated a failure

I have quite some scripts that are still using the apt-key adv command. And I know this command is deprecated. And soon becoming unable to use. Correct me if I'm wrong, but Debian 11 is the last Debian version supporting apt-key. I also know we need to migrate to fetching the .asc file directly and put the file into the /etc/apt/trusted.gpg.d/ folder. How do I convert from the command below to a wget of this .asc file? Where can I find the .asc files I need? Are those .asc files even provided by Linux Mint / X2Go or other repos? The command I use for downloading keys at the moment is: First example: apt-key adv --recv-keys --keyserver keyserver.ubuntu.com A6616109451BBBF2 Second example: apt-key adv --recv-keys --keyserver keyserver.ubuntu.com E1F958385BFE2B6E How do I retrieve the .asc (or .gpg) files from those repos?

On Debian 11, running as root. I am attempying to add the mysql repository public key (due to the expiry in Feb) and update to mysql 8.0, but every apt-key or gpg command I run just HANGS. Even adding -v provides no extra output. A packet capture shows no network traffic being generated. Absolutely no logs on the system during this time. Commands I've attempted so far:

apt-key adv --keyserver pgp.mit.edu --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5
apt-key adv --keyserver pgp.mit.edu --recv-keys 3A79BD29
gpg -v --keyserver pgpkeys.mit.edu --recv-key 467B942D3A79BD29
gpg -v --keyserver pgpkeys.mit.edu --recv-key 3A79BD29

The GPG commands don't even have an output, it just immediately hangs. The ultimate problem I am trying to solve:

Err:1 http://repo.mysql.com/apt/debian  buster InRelease                                                                                   
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29

I pulled the original apt-key command from their documentation here: https://dev.mysql.com/doc/mysql-apt-repo-quick-guide/en/ Anyone know what is happening? How can I find out why these commands are hanging?

I'm running Linux Mint 19 Tara, and trying to follow the instructions here with the goal of installing pgAdmin4 as a desktop app. There seems to be a problem involving the authentication of the repository. The apt-key step seems to work, as I observe PostgreSQL Debian Repository in the apt-key list. I don't have a deb command (I imagine this is a Mint vs Ubuntu difference?), so I used add-apt-repository http://apt.postgresql.org/pub/repos/apt/ tara-pgdg main instead, after which I observe deb http://apt.postgresql.org/pub/repos/apt/ bionic main in /etc/apt/sources.list.d/additional-repositories.list. At this point running either apt-get upgrade or apt-get update shows an error The repository 'http://apt.postgresql.org/pub/repos/apt bionic Release' does not have a Release file. How can I proceed? It seems unlikely that there really isn't a release file; I can see what looks like an authentication list at https://apt.postgresql.org/pub/repos/apt/dists/bionic-pgdg/ . Do I have a path wrong or something?

## Background In the past, if you wanted to install software from an Ubuntu PPA in Debian, the approach was to 1. import/trust the developer's GPG key from keyserver.ubuntu.com,

$ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com E58A9D36647CAE7F

2. then add the repository to /etc/apt/sources.list.d/...

# /etc/apt/sources.list.d/papirus-ppa.list
   deb http://ppa.launchpad.net/papirus/papirus/ubuntu  focal main

(Off the top of my head, examples can be found in [this Ubuntu docs wiki for mkusb](https://help.ubuntu.com/community/mkusb/install-to-debian) or [the Papirus icon theme readme](https://github.com/PapirusDevelopmentTeam/papirus-icon-theme).) ## Problem The problem is that **this approach now produces deprecation warnings** (apt-key was deprecated [over a year ago](https://github.com/docker/docker.github.io/issues/11625)) :

$ apt-key adv ...
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))

> ### Ninja edit > > See [this answer below](https://unix.stackexchange.com/a/679498/176219) for yet another, separate deprecation in this apt-key command! ## Solution? The new approach (as exemplified by, say, [Docker](https://docs.docker.com/engine/install/debian/#install-using-the-repository)) is twofold: 1. Save the developer's GPG key to disk,

$ curl -fsSL https://download.docker.com/linux/debian/gpg  | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

2. then specify the path to that GPG key when defining a new APT source:

# /etc/apt/sources.list.d/docker.list
   deb [... signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian  buster stable
            ⬑------------------ this part is new -----------------⬏

Step 1 is the part that replaces apt-key, but it doesn't seem possible to fetch individual GPG keys off of keyserver.ubuntu.com. Is it possible to adapt this approach for Ubuntu PPAs? If not, how can Ubuntu PPAs be added as software sources in Debian without the use of apt-key?

How I can renew php key in apt ? the one I'm using is almost expired. I've tried to use https://packages.sury.org/php/apt.gpg but it will also expire on 2021-03-17.

When I install mysql@5.6 and mysql-client@5.6 in my Debian Jessie docker image with apt-get install -y software-properties-common && \ add-apt-repository 'deb http://archive.ubuntu.com/ubuntu trusty universe' && \ apt-get install -y mysql-server-5.6 mysql-client-5.6 I see the following warning > W: GPG error: http://archive.ubuntu.com trusty Release: The following > signatures couldn't be verified because the public key is not > available: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32 Not sure if adding keys manually with apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5 && \ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 is a stable solution. I've read somewhere that GPG keys could be changed when the repository gets updated (please correct me if I am wrong). Also a GPG key could be installed from a package repository URL like this: curl -sL http://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - So I have the following sub-questions there: 1. Do all package repositories that require keys have an URL that serves public GPG keys? 2. Is there any format for such URL?

Using a Debian9 server, behind a proxy, I need to install a docker client. So to get a key I use the commands: apt-key adv --keyserver http://WHATEVERKEYSERVERITRY --keyserver-options http-proxy="http://proxy.myclientdomain:4128 " --recv-keys 7EA0A9C3F273FCD8 Executing: tmpapt-key-gpghome.BO0J96KdNM/gpg.1.sh --keyserver http://WHATEVERKEYSERVERITRY --keyserver-options http-proxy=http://proxy.myclientdomain:4128 --recv-keys 7EA0A9C3F273FCD8 gpg: keyserver receive failed: no key server available I tryied all keyring/MIT/debian etc... keyservers I know (about 5/6) The proxy is not the cause, apt-update , ping to www.google.com & so on ... are just OK. I think there is another root cause somewhere else... but it is not possible, **really not**, neither to change anything neither get infrastructure information. So the question is: is there another method to get the key 7EA0A9C3F273FCD8 100% online, generating a file I can then copy/paste?

I'm setting up some Ubuntu servers. I received from another sysadmin a key to be added (call it somekey.pub) for apt package verification on in-house packages. Adding this key with apt-key add somekey.pub results in TWO additional entries showing in apt-key list, each with a "pub" line and a "sub" line. (The "uid" line on both new entries is the sysadmin who gave me the key.) How is this possible? Inspecting the key with less shows: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) (41 lines snipped) -----END PGP PUBLIC KEY BLOCK----- I also used gpg to create a keyring containing just that key (using gpg --no-default-keyring --keyring ./somekeyring.gpg --import somekey.pub), so that I could put the keyring in /etc/apt/trusted.gpg.d/ on other Ubuntu servers rather than running the apt-key add command. Inspecting this keyring with gpg --no-default-keyring --keyring ./somekeyring.gpg --list-keys confirms that it has two keys. Here is the output, munged slightly: pub 1024R/4AAAAAAA 2018-08-31 uid Joe Sysadmin (Ubuntu Dev Repo Key) sub 1024R/9FFFFFFF 2018-08-31 pub 2048R/BAAAAAAA 2018-08-31 uid Joe Sysadmin (Ubuntu Repo Repo Key) sub 2048R/1EEEEEEE 2018-08-31 This is my first foray into GPG and apt keys, so I may be missing some simple basic piece of information, but I would expect that the single public key block in somekey.pub would only contain a single public key - so the above results surprised me. Where is the documentation that will allow me to make sense of this?