1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#+date: <2024-06-19 Wednesday 08:00:00>
#+title: Migrating Ubuntu GPG Keys to trusted.gpg.d
#+description: Technical instructions to relocate GPG keys from the deprecated trusted.gpg keyring to the supported trusted.gpg.d directory for system security maintenance.
#+slug: deprecated-trusted-gpg-fix
#+filetags: :ubuntu:apt:gpg:
** System Warning
When running an update on an Ubuntu system, you may have run into a system
warning that looks like the example below.
#+begin_src txt
W: https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy
trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in
apt-key(8) for details.
#+end_src
While this example references the =yarn= package, the warning message is the
same for any repository using the deprecated =trusted.gpg= key ring.
The issue arises from managing keys with the =apt-key= command, which utilizes
the =/etc/apt/trusted.gpg= file by default. Instead, Ubuntu has moved to
managing key rings with individual =.gpg= files in the =/etc/apt/trusted.gpg.d/=
directory.
To fix this issue, let's check to see which keys are using the =trusted.gpg= key
ring and move them into their own dedicated key ring.
** Finding All Keys in the Keyring
Let's start by simply listing the keys used by the =apt= commands. To do this,
run the following command.
#+begin_src sh
sudo apt-key list
#+end_src
This command will show an output similar to the one below. You may see
additional keys in the =/etc/apt/trusted.gpg.d/= directory - this is where we
will be moving any keys currently found in the =trusted.gpg= key ring.
In the below example, we can see that this system has four different GPG keys
stored within the =trusted.gpg= key ring. Let's go ahead and move them into
their own files.
#+begin_src txt
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead
(see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
uid [ unknown] nginx signing key <signing-key@nginx.com>
pub rsa4096 2016-10-05 [SC]
72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
uid [ unknown] Yarn Packaging <yarn@dan.cx>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
pub rsa4096 2024-05-29 [SC]
8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
uid [ unknown] nginx signing key <signing-key-2@nginx.com>
pub rsa4096 2024-05-29 [SC]
9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
uid [ unknown] nginx signing key <signing-key-3@nginx.com>
#+end_src
** Moving Keys to the Proper Location
*** Exporting Keys to New Files
Now that we know the keys, we will need to move them into their own key ring. We
can do this by copying the last eight (8) characters from the key's signature
and exporting it from this key ring into its own.
Using the yarn example from the beginning, here's the command to move this key
into its own key ring.
#+begin_src sh
sudo apt-key export 86E50310 | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yarn.gpg
#+end_src
You can repeat this process for any other keys, such as the =nginx= keys in the
example above.
*** Cleaning Up
If you run =sudo apt-key list= again, you should see the keys within their own
key rings:
#+begin_src txt
/etc/apt/trusted.gpg.d/nginx-archive-keyring.gpg
------------------------------------------------
pub rsa4096 2024-05-29 [SC]
8540 A6F1 8833 A80E 9C16 53A4 2FD2 1310 B49F 6B46
uid [ unknown] nginx signing key <signing-key-2@nginx.com>
pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
uid [ unknown] nginx signing key <signing-key@nginx.com>
pub rsa4096 2024-05-29 [SC]
9E9B E90E ACBC DE69 FE9B 204C BCDC D8A3 8D88 A2B3
uid [ unknown] nginx signing key <signing-key-3@nginx.com>
/etc/apt/trusted.gpg.d/yarn.gpg
-------------------------------
pub rsa4096 2016-10-05 [SC]
72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
uid [ unknown] Yarn Packaging <yarn@dan.cx>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
#+end_src
Once you have verified that the keys are valid and stored in their own key
rings, you can archive the =trusted.gpg= file and run a system update to test
the new files.
#+begin_src sh
sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.bkp
sudo apt update
#+end_src
Once you've verified that updates work as expected and that the keys are working
as intended, you can delete the =.bkp= file created above. If you're storing
keys that are not easily re-attainable, I suggest keeping the =.bkp= file stored
in a safe location until you are positive that you no longer need it.
|
