2

After warnings about apt-key becoming deprecated and conscientious study on signing files, OpenPgp standard, gpg tool etc. (I'm new to Linux and learning) I've managed to move all my public keys from etc/apt/trusted.d folder to usr/share/keyrings separate files and add [signed-by...] to ppa sources in souces.list.d.

However now I'm trying to do the same for Ubuntu repositories in sources.list file. I've exported listed keys from trusted.gpg file and added [signed-by..] param. Then I deleted trusted.gpg file. The moved key files are in ascii-dearmoured/binary gpg format.

deb [signed-by=/usr/share/keyrings/Ubuntu-moved-keyring.gpg] http://archive.ubuntu.com/ubuntu jammy main restricted

But when I run apt update I get an error

E: Conflicting values set for option Signed-By regarding source http://archive.ubuntu.com/ubuntu/ jammy: ...

Using Ubuntu system tools I restored defaults and so got the trusted.gpg file back but I'm back to square one - apt update complains about the legacy way keys are stored:

1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

I'm stuck. My understanding is that actually this does not pose any threat of cross-signing sources with another publisher's compromised key since my trusted.gpg file contains only Ubuntu keys but still I'd like to sort the issue.

Joey
  • 121
  • 1
  • 3

2 Answers2

3

The "hacky" way of solving this is to run:

mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/

This should satisfy apt. The more correct way would be to get the official Ubuntu keyfiles again - but I'm actually not aware of the correct procedure for this.

Also see this thread.

Artur Meinild
  • 31,035
1

After a thorough search of various websites and forums, I found that the binary file <KEY_ID>.gpg should be located in /usr/share/keyrings/. Keyrings must be in binary format to function correctly. You can convert it by running:

sudo gpg --export --armor <KEY_ID> | sudo gpg --dearmor -o /usr/share/keyrings/<KEY_ID>.gpg

After adding the binary file to /usr/share/keyrings, update your source list to include:

signed-by:/usr/share/keyrings/<KEY_ID>.gpg

For example:

###### Ubuntu Main Repos
Enabled: yes
Types: deb deb-src
URIs: http://archive.ubuntu.com/ubuntu/
Suites: jammy
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

This line tells the package manager where to find the keyring. After making these changes, update your package list with:

sudo apt update

This refreshes the package list to recognize the new keyring configuration.

U.Akbari
  • 11