aboutsummaryrefslogtreecommitdiff
path: root/content/blog/2024-06-19-deprecated-trusted-gpg-fix.org
diff options
context:
space:
mode:
Diffstat (limited to 'content/blog/2024-06-19-deprecated-trusted-gpg-fix.org')
-rw-r--r--content/blog/2024-06-19-deprecated-trusted-gpg-fix.org133
1 files changed, 133 insertions, 0 deletions
diff --git a/content/blog/2024-06-19-deprecated-trusted-gpg-fix.org b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.org
new file mode 100644
index 0000000..18ff2b5
--- /dev/null
+++ b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.org
@@ -0,0 +1,133 @@
+#+date: <2024-06-19 08:00:00>
+#+title: Fixing Ubuntu Error: 'Key is stored in legacy trusted.gpg keyring'
+#+description: Learn how to update GPG keys from the trusted.gpg keyring in Ubuntu.
+
+
+** System Warning
+
+When running an update on an Ubuntu system, you may have run into a
+system warning that looks like the example below.
+
+#+begin_src txt
+W: https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy
+trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in
+apt-key(8) for details.
+#+end_src
+
+While this example references the =yarn= package, the warning message is
+the same for any repository using the deprecated =trusted.gpg= key ring.
+
+The issue arises from managing keys with the =apt-key= command, which
+utilizes the =/etc/apt/trusted.gpg= file by default. Instead, Ubuntu has
+moved to managing key rings with individual =.gpg= files in the
+=/etc/apt/trusted.gpg.d/= directory.
+
+To fix this issue, let's check to see which keys are using the
+=trusted.gpg= key ring and move them into their own dedicated key ring.
+
+** Finding All Keys in the Keyring
+
+Let's start by simply listing the keys used by the =apt= commands. To do
+this, run the following command.
+
+#+begin_src sh
+sudo apt-key list
+#+end_src
+
+This command will show an output similar to the one below. You may see
+additional keys in the =/etc/apt/trusted.gpg.d/= directory - this is
+where we will be moving any keys currently found in the =trusted.gpg=
+key ring.
+
+In the below example, we can see that this system has four different GPG
+keys stored within the =trusted.gpg= key ring. Let's go ahead and move
+them into their own files.
+
+#+begin_src txt
+Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead
+(see apt-key(8)).
+
+/etc/apt/trusted.gpg
+--------------------
+pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
+ 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
+uid [ unknown] nginx signing key <signing-key@nginx.com>
+
+pub rsa4096 2016-10-05 [SC]
+ 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
+uid [ unknown] Yarn Packaging <yarn@dan.cx>
+sub rsa4096 2016-10-05 [E]
+sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
+sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
+
+pub rsa4096 2024-05-29 [SC]
+ 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
+uid [ unknown] nginx signing key <signing-key-2@nginx.com>
+
+pub rsa4096 2024-05-29 [SC]
+ 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
+uid [ unknown] nginx signing key <signing-key-3@nginx.com>
+#+end_src
+
+** Moving Keys to the Proper Location
+
+*** Exporting Keys to New Files
+
+Now that we know the keys, we will need to move them into their own key
+ring. We can do this by copying the last eight (8) characters from the
+key's signature and exporting it from this key ring into its own.
+
+Using the yarn example from the beginning, here's the command to move
+this key into its own key ring.
+
+#+begin_src sh
+sudo apt-key export 86E50310 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yarn.gpg
+#+end_src
+
+You can repeat this process for any other keys, such as the =nginx= keys
+in the example above.
+
+*** Cleaning Up
+
+If you run =sudo apt-key list= again, you should see the keys within
+their own key rings:
+
+#+begin_src txt
+/etc/apt/trusted.gpg.d/nginx-archive-keyring.gpg
+------------------------------------------------
+pub rsa4096 2024-05-29 [SC]
+ 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
+uid [ unknown] nginx signing key <signing-key-2@nginx.com>
+
+pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
+ 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
+uid [ unknown] nginx signing key <signing-key@nginx.com>
+
+pub rsa4096 2024-05-29 [SC]
+ 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
+uid [ unknown] nginx signing key <signing-key-3@nginx.com>
+
+/etc/apt/trusted.gpg.d/yarn.gpg
+-------------------------------
+pub rsa4096 2016-10-05 [SC]
+ 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
+uid [ unknown] Yarn Packaging <yarn@dan.cx>
+sub rsa4096 2016-10-05 [E]
+sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
+sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
+#+end_src
+
+Once you have verified that the keys are valid and stored in their own
+key rings, you can archive the =trusted.gpg= file and run a system
+update to test the new files.
+
+#+begin_src sh
+sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.bkp
+sudo apt update
+#+end_src
+
+Once you've verified that updates work as expected and that the keys are
+working as intended, you can delete the =.bkp= file created above. If
+you're storing keys that are not easily re-attainable, I suggest keeping
+the =.bkp= file stored in a safe location until you are positive that
+you no longer need it.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-15 05:37:35 +0000