How to add a GPG key to the apt sources keyring?

Question

Ubuntu Doc page says this:

It is advisable that you add the Opera GPG key.

wget -qO - http://deb.opera.com/archive.key | sudo apt-key add -

Where do I add that?

I want to take the advice but I don't know what part of software center to add gpg keys to.

score 137 · Accepted Answer · edited Nov 15 '23 at 17:15

Note from Moderators: This solution is no longer functional since apt-key has been deprecated. However, there is no capability to change if a message is accepted or not, other than deletion of the answer, and for historical reasons AND the massive number of upvotes since the original post in 2013 prevent us from deleting this post.

Please do not raise flags regarding "insecure" and "deprecated" natures of this answer.

This a a one line command to enter in terminal. See What is a terminal and how do I open and use it?

To use it, you would paste the entire command in the terminal (remember to use https):

wget -qO - https://deb.opera.com/archive.key | sudo apt-key add -

But of course, it is daunting just copying and pasting commands without knowing what they are doing, and having no instructions on how to undo their actions, so here is a basic breakdown of the commands:

wget downloads something from a server. See wget manual for Ubuntu 16.04.
| is a pipline, which takes the output of one command and runs it into the input of another
apt-key add adds a package key

So it basically downloads the key and then adds it in one command.

I tested the command and it should work.

Now to verify that it worked, run this command (from this answer):

apt-key list

This will list the keys added and the key from Opera should be listed on the bottom like this:

pub   1024D/30C18A2B 2012-10-29 [expires: 2014-10-29]
uid                  Opera Software Archive Automatic Signing Key 2013 <packager@opera.com>
sub   4096g/C528FCA9 2012-10-29 [expires: 2014-10-29]

The linked answer also shows that you can remove the key if needed, using:

sudo apt-key del 30C18A2B

with 30C18A2B being the key-id from the list.

After performing that command, and setting up the sources exactly like in your screen-shot, do:

sudo apt-get update
sudo apt-get install opera

(note there are some random warnings, but nothing that affects the install or software center operations)

And for the removal (just in case): What is the correct way to completely remove an application?

So in summary:

Add repository
Add key with apt-key
Install in terminal with apt-get
Search in dash

Paulo Coghi · Answer 2 · 2025-05-22T12:46:14.403

2025 Update

It is now recommended to use the GPG method, since apt-key is deprecated.

Step 1 - GPG file

Replace ppa-name.gpg with a repository name and 00000000 with the second part of the key informed in the repository website.

sudo mkdir -p /usr/share/keyrings/
sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --no-default-keyring --keyring /usr/share/keyrings/ppa-name.gpg --recv-keys 00000000

For example, if you find this line:

 4096R/7BF576066

Use only the second part (no matter its size), which in this example is 7BF576066

Step 2 - source list file

Then, add the key path at the list file, for example /etc/apt/sources.list.d/ppa-name.list, with the following:

deb [signed-by=/usr/share/keyrings/ppa-name.gpg] ...

For example at the file /etc/apt/sources.list.d/php.list, the key path is in this way:

deb [signed-by=/usr/share/keyrings/php-ondrej.gpg] https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble main 
deb-src [signed-by=/usr/share/keyrings/php-ondrej.gpg] https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble main

score 38 · Answer 3 · answered Dec 28 '16 at 17:11

Newer versions of apt also support the following:

apt-key adv --fetch-keys http://deb.opera.com/archive.key

This method also provides more detailed feedback as well, e.g.:

gpg: key 7BD9BF62: public key "signing key <username@domain.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

This also has the added bonus of removing the need for additional dependencies like wget or curl.

score 6 · Answer 4 · answered Dec 08 '20 at 17:33

You should not add third-party keys via apt-key add. These keys can then be used to sign any package on your machine, including those from the archive. Now you should only allow the key to sign only a specific package. Complete answer on UNIX.SE from user Trudy.

score 6 · Answer 5 · answered May 12 '22 at 11:36

apt-key now seems to be deprecated, I have created a script that will detect and get the missing keys, you can get it here.

#!/bin/sh -e
tmp="$(mktemp)"
sudo apt-get update 2>&1 | sed -En 's/.*NO_PUBKEY ([[:xdigit:]]+).*/\1/p' | sort -u > "${tmp}"
cat "${tmp}" | xargs sudo gpg --keyserver "hkps://keyserver.ubuntu.com:443" --recv-keys  # to /usr/share/keyrings/*
cat "${tmp}" | xargs -L 1 sh -c 'sudo gpg --yes --output "/etc/apt/trusted.gpg.d/$1.gpg" --export "$1"' sh  # to /etc/apt/trusted.gpg.d/*
rm "${tmp}"

x-yuri · Answer 6 · 2022-07-23T00:07:51.103

Let's say you want to add docker's repo key (an ASCII-armored key):

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
    | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

If you're not sure if the key is ASCII-armored:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | file -
/dev/stdin: PGP public key block Public-Key (old)

For a non-armored key the output will be along the lines of:

/dev/stdin: OpenPGP Public Key Version 4, Created ..., RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate

And to add it you need:

$ sudo curl -fsSL https://... -o /etc/apt/keyrings/NAME.gpg

More on it can be found here. But it suggests to install keys to /usr/share/keyrings, which is the location for package maintainers. More on it below.

For apt < 2.4.0 you need to create /etc/apt/keyrings before adding the key (Debian link):

apt (2.4.0) unstable; urgency=medium ...

Install an empty /etc/apt/keyrings directory. This directory is intended to provide an alternative to /usr/share/keyrings for placing keys used with signed-by.

That means before Ubuntu 22.04 Jammy, Debian 12 Bookworm.

Deprecating apt-key is a security measure. You can learn more on it here. As such, adding files to /etc/apt/trusted.gpg.d is also insecure. Because /etc/apt/trusted.gpg.d is a way to add keys to the keyring (/etc/apt/trusted.gpg) w/o apt-key add, by copying files.

Also note that:

The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.

apt-key is deprecated since 2.1.8 (Debian link):

apt (2.1.8) unstable; urgency=medium ...

Fully deprecate apt-key, schedule removal for Q2/2022

In terms of releases that would be Ubuntu 21.10 Impish, Debian 11 Bullseye. The commit (Debian link).

Ability to specify signed-by in apt sources was added in 1.1.exp9 (Debian link):

apt (1.1~exp9) experimental; urgency=medium ...

implement Signed-By option for sources.list

The commit (Debian link).

Rex Linder · Answer 7 · 2023-09-25T19:45:14.603

3

Make sure to "dearmor" (aka convert to binary) before storing your pgp key in trusted.gpg.d:

cat mykey.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/mykey.gpg

edited Sep 25 '23 at 19:45

answered Sep 25 '23 at 19:04

Rex Linder

131

score 1 · Answer 8 · answered Apr 16 '19 at 05:27

1

Another way where you just have an .asc key, you download the .asc key and add it to the keyring.

For instance -

curl -L https://packages.riot.im/debian/repo-key.asc | sudo apt-key add -

answered Apr 16 '19 at 05:27

shirish

111
2

How to add a GPG key to the apt sources keyring?

8 Answers8

2025 Update

Linked