diff options
| author | Christian Cleberg <hello@cleberg.net> | 2024-07-28 19:46:20 -0500 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2024-07-28 19:46:20 -0500 |
| commit | 2be43cc479dfd4cfb621f14381330c708291e324 (patch) | |
| tree | 7ac50f99425c5524c0820360754045b80d1bafcc /content/blog/2024-06-19-deprecated-trusted-gpg-fix.md | |
| parent | afe76ac7d7498b862abaa623790b91410e34574d (diff) | |
| download | cleberg.net-2be43cc479dfd4cfb621f14381330c708291e324.tar.gz cleberg.net-2be43cc479dfd4cfb621f14381330c708291e324.tar.bz2 cleberg.net-2be43cc479dfd4cfb621f14381330c708291e324.zip | |
conversion from Zola to Weblorg
Diffstat (limited to 'content/blog/2024-06-19-deprecated-trusted-gpg-fix.md')
| -rw-r--r-- | content/blog/2024-06-19-deprecated-trusted-gpg-fix.md | 133 |
1 files changed, 0 insertions, 133 deletions
diff --git a/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md deleted file mode 100644 index 8068f2d..0000000 --- a/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md +++ /dev/null @@ -1,133 +0,0 @@ -+++ -date = 2024-06-19 08:00:00 -title = "Fixing Ubuntu Error: 'Key is stored in legacy trusted.gpg keyring'" -description = "Learn how to update GPG keys from the trusted.gpg keyring in Ubuntu." -+++ - -## System Warning - -When running an update on an Ubuntu system, you may have run into a system -warning that looks like the example below. - -```txt -W: https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy -trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in -apt-key(8) for details. -``` - -While this example references the `yarn` package, the warning message is the -same for any repository using the deprecated `trusted.gpg` key ring. - -The issue arises from managing keys with the `apt-key` command, which utilizes -the `/etc/apt/trusted.gpg` file by default. Instead, Ubuntu has moved to -managing key rings with individual `.gpg` files in the `/etc/apt/trusted.gpg.d/` -directory. - -To fix this issue, let's check to see which keys are using the `trusted.gpg` key -ring and move them into their own dedicated key ring. - -## Finding All Keys in the Keyring - -Let's start by simply listing the keys used by the `apt` commands. To do this, -run the following command. - -```sh -sudo apt-key list -``` - -This command will show an output similar to the one below. You may see -additional keys in the `/etc/apt/trusted.gpg.d/` directory - this is where we -will be moving any keys currently found in the `trusted.gpg` key ring. - -In the below example, we can see that this system has four different GPG keys -stored within the `trusted.gpg` key ring. Let's go ahead and move them into -their own files. - -```txt -Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead -(see apt-key(8)). - -/etc/apt/trusted.gpg --------------------- -pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 -uid [ unknown] nginx signing key <signing-key@nginx.com> - -pub rsa4096 2016-10-05 [SC] - 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310 -uid [ unknown] Yarn Packaging <yarn@dan.cx> -sub rsa4096 2016-10-05 [E] -sub rsa4096 2019-01-02 [S] [expires: 2026-01-23] -sub rsa4096 2019-01-11 [S] [expires: 2026-01-23] - -pub rsa4096 2024-05-29 [SC] - 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46 -uid [ unknown] nginx signing key <signing-key-2@nginx.com> - -pub rsa4096 2024-05-29 [SC] - 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3 -uid [ unknown] nginx signing key <signing-key-3@nginx.com> -``` - -## Moving Keys to the Proper Location - -### Exporting Keys to New Files - -Now that we know the keys, we will need to move them into their own key ring. We -can do this by copying the last eight (8) characters from the key's signature -and exporting it from this key ring into its own. - -Using the yarn example from the beginning, here's the command to move this key -into its own key ring. - -```sh -sudo apt-key export 86E50310 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yarn.gpg -``` - -You can repeat this process for any other keys, such as the `nginx` keys in the -example above. - -### Cleaning Up - -If you run `sudo apt-key list` again, you should see the keys within their own -key rings: - -```txt -/etc/apt/trusted.gpg.d/nginx-archive-keyring.gpg ------------------------------------------------- -pub rsa4096 2024-05-29 [SC] - 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46 -uid [ unknown] nginx signing key <signing-key-2@nginx.com> - -pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24] - 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62 -uid [ unknown] nginx signing key <signing-key@nginx.com> - -pub rsa4096 2024-05-29 [SC] - 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3 -uid [ unknown] nginx signing key <signing-key-3@nginx.com> - -/etc/apt/trusted.gpg.d/yarn.gpg -------------------------------- -pub rsa4096 2016-10-05 [SC] - 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310 -uid [ unknown] Yarn Packaging <yarn@dan.cx> -sub rsa4096 2016-10-05 [E] -sub rsa4096 2019-01-02 [S] [expires: 2026-01-23] -sub rsa4096 2019-01-11 [S] [expires: 2026-01-23] -``` - -Once you have verified that the keys are valid and stored in their own key -rings, you can archive the `trusted.gpg` file and run a system update to test -the new files. - -```sh -sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.bkp -sudo apt update -``` - -Once you've verified that updates work as expected and that the keys are working -as intended, you can delete the `.bkp` file created above. If you're storing -keys that are not easily re-attainable, I suggest keeping the `.bkp` file stored -in a safe location until you are positive that you no longer need it. - |