Key is stored in legacy trusted.gpg keyring after Ubuntu 22.04 update

29,793

This answer is a customization of the one provided by matigo user here. You need to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings for every repo.

  1. Let's begin with DigitalOcean key. Open Terminal and export the 9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F key:

    sudo apt-key export A4C6383F | sudo gpg --dearmour -o /usr/share/keyrings/digitalocean-agent.gpg

    Note: The A4C6383F value comes from the last 8 characters of the pub code from the apt-key list output.

  2. Now we can update our apt source file /etc/apt/sources.list.d/digitalocean-agent.list), adding a signed-by tag. Open it by:

    sudo -H gedit /etc/apt/sources.list.d/digitalocean-agent.list

    and add the tag [arch=amd64 signed-by=/usr/share/keyrings/digitalocean-agent.gpg] just after the deb keyword and before the URL.

    I don't know the exact content of digitalocean-agent.list, but it should be eventually something similar to:

    deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] packages.microsoft.com/repos/edge stable main
    
  3. Run sudo apt update to confirm the message is gone

  4. If the message is gone, remove the original signature:

    sudo apt-key del A4C6383F

  5. Repeat the steps for cloudflare-main.list, generating the cloudflare-main.gpg key starting from 8CACCBF8 key.

  6. Repeat the steps for mysql.list, generating the mysql.gpg key starting from 5072E1F5 key.

Consider that the messages you have are only warnings: if something goes bad, restore the files as they are and keep the warnings, they are not harmful.

Share:
29,793
newcat1000
Author by

newcat1000

Updated on January 04, 2023

Comments

  • newcat1000
    newcat1000 over 1 year

    I get 3 warnings after Ubuntu 22.04 update on a Digital Ocean LAMP stack droplet.

    W: http://repo.mysql.com/apt/ubuntu/dists/bionic/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
    W: https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
    W: http://pkg.cloudflare.com/dists/trusty/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
    

    How to move the keys to the right location and delete the old keys?

    EDIT

    sudo apt-key list

    pub   rsa2048 2016-02-17 [SC]
          9FE3 B226 BD77 5196 D8C2  E599 DE88 104A A4C6 383F
    uid           [ unknown] DigitalOcean Insights Engineering <[email protected]>
    sub   rsa2048 2016-02-17 [E]
    
    pub   rsa2048 2015-01-28 [SC]
          FBA8 C0EE 6361 7C5E ED69  5C43 254B 391D 8CAC CBF8
    uid           [ unknown] CloudFlare Software Packaging <[email protected]>
    
    pub   dsa1024 2003-02-03 [SCA] [expired: 2022-02-16]
          A4A9 4068 76FC BD3C 4567  70C8 8C71 8D3B 5072 E1F5
    uid           [ expired] MySQL Release Engineering <[email protected]>
    
    pub   rsa4096 2021-12-14 [SC] [expires: 2023-12-14]
          859B E8D7 C586 F538 430B  19C2 467B 942D 3A79 BD29
    uid           [ unknown] MySQL Release Engineering <[email protected]>
    sub   rsa4096 2021-12-14 [E] [expires: 2023-12-14]
    
    /etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg
    -------------------------------------------------
    pub   rsa4096 2016-11-02 [SC]
          7BF5 7606 6ADA 6572 8FC7  E70A 8C47 BE8E 75BC A694
    uid           [ unknown] Launchpad PPA for certbot
    
    /etc/apt/trusted.gpg.d/ondrej-ubuntu-apache2.gpg
    ------------------------------------------------
    pub   rsa1024 2009-01-26 [SC]
          14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
    uid           [ unknown] Launchpad PPA for Ondřej Surý
    
    /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg
    --------------------------------------------
    pub   rsa1024 2009-01-26 [SC]
          14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C
    uid           [ unknown] Launchpad PPA for Ondřej Surý
    
    /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
    ------------------------------------------------------
    pub   rsa4096 2012-05-11 [SC]
          8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
    uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>
    
    /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
    ------------------------------------------------------
    pub   rsa4096 2018-09-17 [SC]
          F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
    uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>
    

    ls -l /etc/apt/sources.list.d

    -rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list
    -rw-r--r-- 1 root root 276 Apr  8 15:51 certbot-ubuntu-certbot-xenial.list.distUpgrade
    -rw-r--r-- 1 root root 274 Mar 13  2020 certbot-ubuntu-certbot-xenial.list.save
    -rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list
    -rw-r--r-- 1 root root  43 Apr  8 15:51 cloudflare-main.list.distUpgrade
    -rw-r--r-- 1 root root  43 Mar 13  2020 cloudflare-main.list.save
    -rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list
    -rw-r--r-- 1 root root  67 Apr  8 15:51 digitalocean-agent.list.distUpgrade
    -rw-r--r-- 1 root root  67 Mar 13  2020 digitalocean-agent.list.save
    -rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list
    -rw-r--r-- 1 root root 501 Apr  8 15:51 mysql.list.distUpgrade
    -rw-r--r-- 1 root root 137 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list
    -rw-r--r-- 1 root root 135 Apr  8 15:51 ondrej-ubuntu-apache2-hirsute.list.distUpgrade
    -rw-r--r-- 1 root root 123 Apr  8 15:51 ondrej-ubuntu-php-xenial.list
    -rw-r--r-- 1 root root 124 Apr  8 15:51 ondrej-ubuntu-php-xenial.list.distUpgrade
    -rw-r--r-- 1 root root 125 Apr  8 19:11 signal-xenial.list
    
    • Admin
      Admin about 2 years
      You should follow the indications in askubuntu.com/questions/1398344/… answer but customizing them for your three repos. If you edit your post with the output of sudo apt-key list and ls -l /etc/apt/sources.list.d, it is possible to provide an answer specific for your scenario.
  • Admin
    Admin about 2 years
    Note: In my /etc/apt/sources.list.d/mysql.list there are 3 deb repositories and 1 deb-src repository. I added the [arch=amd64 signed-by=/usr/share/keyrings/mysql.gpg] in the deb-src repository.
  • Admin
    Admin almost 2 years
    Do note that the "signed-by" repositories won't show up in the "Other Software" tab of the "Software & Updates" application any more afterwards.
  • Admin
    Admin almost 2 years
    Indeed @Forage, it did disappear. Why is that and is there a way to prevent this ? I'd like to keep every PPA I added in the same place (or am I misunderstanding the goal of the "Other Software" tab ?)
  • Admin
    Admin almost 2 years
    @AntoineLaffargue I can't exactly tell you why, but I assume the "Software & Updates" application simply can't deal with repositories that have the additional argument and needs to be modified in order to do so. Pretty awkward that deprecation warnings are already given without the whole software chain being able to deal with the recommended fix yet. For now you either accept those warnings, accept the lack of seeing the modified repositories or you place the keys in /etc/apt/trusted.gpg.d/ without adding the signed-by argument.
  • Admin
    Admin almost 2 years
    Please see my simplified answer here.