1

With Ubuntu 22.04 and beyond, apt-key has been deprecated and will eventually be removed.

This creates deprecation messages, so to solve this and attempt to improve security, I followed the following topics:

What commands (exactly) should replace the deprecated apt-key?

Key is stored in legacy trusted.gpg keyring after Ubuntu 22.04 update [duplicate]

I exported almost all keys from /etc/apt/trusted.gpg to a directory /usr/share/keyrings following the information in this answer:

This answer is a customization of the one provided by matigo user here. You need to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings for every repo.

This led to exporting many keys from the deprecated keyring into the /usr/share/keyrings directory created by me. For each exported key, I also created/updated its associated three .list files, with the list files being stored in /etc/apt/sources.list.d.

After that I deleted the keys I exported:

sudo apt-key del LAST_8_KEY_DIGITS
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

While apt-key throws this recommendation of using the /etc/apt/trusted.gpg.d directory, from what I read in this thread answer it should be avoided as well:

All of the answers so far work around the symptom ("Don't use apt-key add") but fail to address the actual problem that led to apt-key add being deprecated. The problem is not a question of appending a key to one big keyring file etc/apt/trusted.gpg vs manually putting single-key keyring files into the directory /etc/apt/trusted.gpg.d/. These two things are equivalent, and doing either one is a huge security risk.

Now that you have your converted key, do not add it to apt's trusted keystore by copying it into /etc/apt/trusted.gpg.d/. Instead, put it somewhere like /etc/apt/keyrings/. (You might need to create that keyrings directory first.) There's nothing special about that location, it's just a convention recommended by man 5 sources.list in Ubuntu 22.04 and a related Debian Wiki entry.

So after following those threads and implementing the suggestions, I now have:

  • Repository .list files in /etc/apt/sources.list.d.
  • The actual GPG keys in /usr/share/keyrings.

I am able to run apt update and it correctly hits all the third-party repositories I exported from the deprecated file of apt-key.

The question is, is it possible to edit the "Software & Updates" program of Ubuntu (software-properties-gtk) to show the GPG keys again?

Not having them in the /etc/apt/trusted.gpg.d/ directory or the /etc/apt/trusted.gpg file is better for security from what I understand, but now software-properties-gtk cannot list repositories.

In this process of deprecating apt-key and improving security, is it possible to point software-properties-gtk to /etc/apt/sources.list.d and /usr/share/keyrings for it to show me the repositories in the "Other Software" tab of the "Software & Updates" GUI?

Grateful for any insight!

Blitzkoder
  • 231
  • 3
  • 10

0 Answers0