diff options
| author | Christian Cleberg <hello@cleberg.net> | 2024-06-19 08:28:12 -0500 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2024-06-19 08:28:12 -0500 |
| commit | 3381414e92d2ec17b72d6cb8a09eb095fd4168ed (patch) | |
| tree | fbcc5afc06fdc0098ef9a4aad413f5795d3906e7 | |
| parent | 33bd54bffe5ec47777c941370ea310510338a716 (diff) | |
| download | cleberg.net-3381414e92d2ec17b72d6cb8a09eb095fd4168ed.tar.gz cleberg.net-3381414e92d2ec17b72d6cb8a09eb095fd4168ed.tar.bz2 cleberg.net-3381414e92d2ec17b72d6cb8a09eb095fd4168ed.zip | |
add trusted.gpg blog post
| -rw-r--r-- | content/blog/2024-06-19-deprecated-trusted-gpg-fix.md | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md new file mode 100644 index 0000000..8068f2d --- /dev/null +++ b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md @@ -0,0 +1,133 @@ ++++ +date = 2024-06-19 08:00:00 +title = "Fixing Ubuntu Error: 'Key is stored in legacy trusted.gpg keyring'" +description = "Learn how to update GPG keys from the trusted.gpg keyring in Ubuntu." ++++ + +## System Warning + +When running an update on an Ubuntu system, you may have run into a system +warning that looks like the example below. + +```txt +W: https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy +trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in +apt-key(8) for details. +``` + +While this example references the `yarn` package, the warning message is the +same for any repository using the deprecated `trusted.gpg` key ring. + +The issue arises from managing keys with the `apt-key` command, which utilizes +the `/etc/apt/trusted.gpg` file by default. Instead, Ubuntu has moved to +managing key rings with individual `.gpg` files in the `/etc/apt/trusted.gpg.d/` +directory. + +To fix this issue, let's check to see which keys are using the `trusted.gpg` key +ring and move them into their own dedicated key ring. + +## Finding All Keys in the Keyring + +Let's start by simply listing the keys used by the `apt` commands. To do this, +run the following command. + +```sh +sudo apt-key list +``` + +This command will show an output similar to the one below. You may see +additional keys in the `/etc/apt/trusted.gpg.d/` directory - this is where we +will be moving any keys currently found in the `trusted.gpg` key ring. + +In the below example, we can see that this system has four different GPG keys +stored within the `trusted.gpg` key ring. Let's go ahead and move them into +their own files. + +```txt +Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead +(see apt-key(8)). + +/etc/apt/trusted.gpg +-------------------- +pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] + 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 +uid [ unknown] nginx signing key <signing-key@nginx.com> + +pub rsa4096 2016-10-05 [SC] + 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310 +uid [ unknown] Yarn Packaging <yarn@dan.cx> +sub rsa4096 2016-10-05 [E] +sub rsa4096 2019-01-02 [S] [expires: 2026-01-23] +sub rsa4096 2019-01-11 [S] [expires: 2026-01-23] + +pub rsa4096 2024-05-29 [SC] + 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46 +uid [ unknown] nginx signing key <signing-key-2@nginx.com> + +pub rsa4096 2024-05-29 [SC] + 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3 +uid [ unknown] nginx signing key <signing-key-3@nginx.com> +``` + +## Moving Keys to the Proper Location + +### Exporting Keys to New Files + +Now that we know the keys, we will need to move them into their own key ring. We +can do this by copying the last eight (8) characters from the key's signature +and exporting it from this key ring into its own. + +Using the yarn example from the beginning, here's the command to move this key +into its own key ring. + +```sh +sudo apt-key export 86E50310 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yarn.gpg +``` + +You can repeat this process for any other keys, such as the `nginx` keys in the +example above. + +### Cleaning Up + +If you run `sudo apt-key list` again, you should see the keys within their own +key rings: + +```txt +/etc/apt/trusted.gpg.d/nginx-archive-keyring.gpg +------------------------------------------------ +pub rsa4096 2024-05-29 [SC] + 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46 +uid [ unknown] nginx signing key <signing-key-2@nginx.com> + +pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] + 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 +uid [ unknown] nginx signing key <signing-key@nginx.com> + +pub rsa4096 2024-05-29 [SC] + 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3 +uid [ unknown] nginx signing key <signing-key-3@nginx.com> + +/etc/apt/trusted.gpg.d/yarn.gpg +------------------------------- +pub rsa4096 2016-10-05 [SC] + 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310 +uid [ unknown] Yarn Packaging <yarn@dan.cx> +sub rsa4096 2016-10-05 [E] +sub rsa4096 2019-01-02 [S] [expires: 2026-01-23] +sub rsa4096 2019-01-11 [S] [expires: 2026-01-23] +``` + +Once you have verified that the keys are valid and stored in their own key +rings, you can archive the `trusted.gpg` file and run a system update to test +the new files. + +```sh +sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.bkp +sudo apt update +``` + +Once you've verified that updates work as expected and that the keys are working +as intended, you can delete the `.bkp` file created above. If you're storing +keys that are not easily re-attainable, I suggest keeping the `.bkp` file stored +in a safe location until you are positive that you no longer need it. + |