aboutsummaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/blog/2024-06-19-deprecated-trusted-gpg-fix.md133
1 files changed, 133 insertions, 0 deletions
diff --git a/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md
new file mode 100644
index 0000000..8068f2d
--- /dev/null
+++ b/content/blog/2024-06-19-deprecated-trusted-gpg-fix.md
@@ -0,0 +1,133 @@
++++
+date = 2024-06-19 08:00:00
+title = "Fixing Ubuntu Error: 'Key is stored in legacy trusted.gpg keyring'"
+description = "Learn how to update GPG keys from the trusted.gpg keyring in Ubuntu."
++++
+
+## System Warning
+
+When running an update on an Ubuntu system, you may have run into a system
+warning that looks like the example below.
+
+```txt
+W: https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy
+trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in
+apt-key(8) for details.
+```
+
+While this example references the `yarn` package, the warning message is the
+same for any repository using the deprecated `trusted.gpg` key ring.
+
+The issue arises from managing keys with the `apt-key` command, which utilizes
+the `/etc/apt/trusted.gpg` file by default. Instead, Ubuntu has moved to
+managing key rings with individual `.gpg` files in the `/etc/apt/trusted.gpg.d/`
+directory.
+
+To fix this issue, let's check to see which keys are using the `trusted.gpg` key
+ring and move them into their own dedicated key ring.
+
+## Finding All Keys in the Keyring
+
+Let's start by simply listing the keys used by the `apt` commands. To do this,
+run the following command.
+
+```sh
+sudo apt-key list
+```
+
+This command will show an output similar to the one below. You may see
+additional keys in the `/etc/apt/trusted.gpg.d/` directory - this is where we
+will be moving any keys currently found in the `trusted.gpg` key ring.
+
+In the below example, we can see that this system has four different GPG keys
+stored within the `trusted.gpg` key ring. Let's go ahead and move them into
+their own files.
+
+```txt
+Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead
+(see apt-key(8)).
+
+/etc/apt/trusted.gpg
+--------------------
+pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
+ 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
+uid [ unknown] nginx signing key <signing-key@nginx.com>
+
+pub rsa4096 2016-10-05 [SC]
+ 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
+uid [ unknown] Yarn Packaging <yarn@dan.cx>
+sub rsa4096 2016-10-05 [E]
+sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
+sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
+
+pub rsa4096 2024-05-29 [SC]
+ 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
+uid [ unknown] nginx signing key <signing-key-2@nginx.com>
+
+pub rsa4096 2024-05-29 [SC]
+ 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
+uid [ unknown] nginx signing key <signing-key-3@nginx.com>
+```
+
+## Moving Keys to the Proper Location
+
+### Exporting Keys to New Files
+
+Now that we know the keys, we will need to move them into their own key ring. We
+can do this by copying the last eight (8) characters from the key's signature
+and exporting it from this key ring into its own.
+
+Using the yarn example from the beginning, here's the command to move this key
+into its own key ring.
+
+```sh
+sudo apt-key export 86E50310 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yarn.gpg
+```
+
+You can repeat this process for any other keys, such as the `nginx` keys in the
+example above.
+
+### Cleaning Up
+
+If you run `sudo apt-key list` again, you should see the keys within their own
+key rings:
+
+```txt
+/etc/apt/trusted.gpg.d/nginx-archive-keyring.gpg
+------------------------------------------------
+pub rsa4096 2024-05-29 [SC]
+ 8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
+uid [ unknown] nginx signing key <signing-key-2@nginx.com>
+
+pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
+ 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
+uid [ unknown] nginx signing key <signing-key@nginx.com>
+
+pub rsa4096 2024-05-29 [SC]
+ 9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
+uid [ unknown] nginx signing key <signing-key-3@nginx.com>
+
+/etc/apt/trusted.gpg.d/yarn.gpg
+-------------------------------
+pub rsa4096 2016-10-05 [SC]
+ 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
+uid [ unknown] Yarn Packaging <yarn@dan.cx>
+sub rsa4096 2016-10-05 [E]
+sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
+sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
+```
+
+Once you have verified that the keys are valid and stored in their own key
+rings, you can archive the `trusted.gpg` file and run a system update to test
+the new files.
+
+```sh
+sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.bkp
+sudo apt update
+```
+
+Once you've verified that updates work as expected and that the keys are working
+as intended, you can delete the `.bkp` file created above. If you're storing
+keys that are not easily re-attainable, I suggest keeping the `.bkp` file stored
+in a safe location until you are positive that you no longer need it.
+
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-15 14:50:42 +0000