Key is stored in legacy trusted.gpg keyring after Ubuntu 22.04 update

Question

I get 3 warnings after Ubuntu 22.04 update on a Digital Ocean LAMP stack droplet.

W: http://repo.mysql.com/apt/ubuntu/dists/bionic/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://pkg.cloudflare.com/dists/trusty/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

How to move the keys to the right location and delete the old keys?

EDIT

sudo apt-key list

pub   rsa2048 2016-02-17 [SC]
      9FE3 B226 BD77 5196 D8C2  E599 DE88 104A A4C6 383F
uid           [ unknown] DigitalOcean Insights Engineering <sonar-agent@digitalocean.com>
sub   rsa2048 2016-02-17 [E]
pub   rsa2048 2015-01-28 [SC]
      FBA8 C0EE 6361 7C5E ED69  5C43 254B 391D 8CAC CBF8
uid           [ unknown] CloudFlare Software Packaging <help@cloudflare.com>
pub   dsa1024 2003-02-03 [SCA] [expired: 2022-02-16]
      A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
uid           [ expired] MySQL Release Engineering <mysql-build@oss.oracle.com>
pub   rsa4096 2021-12-14 [SC] [expires: 2023-12-14]
      859B E8D7 C586 F538 430B  19C2 467B 942D 3A79 BD29
uid           [ unknown] MySQL Release Engineering <mysql-build@oss.oracle.com>
sub   rsa4096 2021-12-14 [E] [expires: 2023-12-14]
/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg
pub   rsa4096 2016-11-02 [SC]
      7BF5 7606 6ADA 6572 8FC7  E70A 8C47 BE8E 75BC A694
uid           [ unknown] Launchpad PPA for certbot
/etc/apt/trusted.gpg.d/ondrej-ubuntu-apache2.gpg
pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý
/etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
pub   rsa1024 2009-01-26 [SC]
      14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
uid           [ unknown] Launchpad PPA for Ondřej Surý
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

ls -l /etc/apt/sources.list.d

-rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list
-rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list.distUpgrade
-rw-r--r-- 1 root root 274 Mar 13  2020 certbot-ubuntu-certbot-xenial.list.save
-rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list
-rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list.distUpgrade
-rw-r--r-- 1 root root  43 Mar 13  2020 cloudflare-main.list.save
-rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list
-rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list.distUpgrade
-rw-r--r-- 1 root root  67 Mar 13  2020 digitalocean-agent.list.save
-rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list
-rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list.distUpgrade
-rw-r--r-- 1 root root 137 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list
-rw-r--r-- 1 root root 135 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list.distUpgrade
-rw-r--r-- 1 root root 123 Apr  8 15:51 ondrej-ubuntu-php-xenial.list
-rw-r--r-- 1 root root 124 Apr  8 15:51 ondrej-ubuntu-php-xenial.list.distUpgrade
-rw-r--r-- 1 root root 125 Apr  8 19:11 signal-xenial.list

Answer 1

This answer is a customization of the one provided by matigo user here. You need to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings for every repo.

0. Let's begin with DigitalOcean key. Open Terminal and export the 9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F key:

   apt-key export A4C6383F | sudo gpg --dearmour -o /usr/share/keyrings/digitalocean-agent.gpg

   Note: The A4C6383F value comes from the last 8 characters of the pub code from the apt-key list output.

1. Now we can update our apt source file /etc/apt/sources.list.d/digitalocean-agent.list), adding a signed-by tag. Open it by:

   sudo -H gedit /etc/apt/sources.list.d/digitalocean-agent.list

   and add the tag [arch=amd64 signed-by=/usr/share/keyrings/digitalocean-agent.gpg] just after the deb keyword and before the URL.

   I don't know the exact content of digitalocean-agent.list, but it should be eventually something similar to:

   deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] packages.microsoft.com/repos/edge stable main
   

2. Run sudo apt update to confirm the message is gone

3. If the message is gone, remove the original signature:

   sudo apt-key del A4C6383F

4. Repeat the steps for cloudflare-main.list, generating the cloudflare-main.gpg key starting from 8CACCBF8 key.

5. Repeat the steps for mysql.list, generating the mysql.gpg key starting from 5072E1F5 key.

Consider that the messages you have are only warnings: if something goes bad, restore the files as they are and keep the warnings, they are not harmful.