Key is stored in legacy trusted.gpg keyring after Ubuntu 22.04 update
This answer is a customization of the one provided by matigo user here.
You need to export the GPG key from the deprecated keyring and store it in /usr/share/keyrings
for every repo.
-
Let's begin with DigitalOcean key. Open Terminal and export the
9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F
key:sudo apt-key export A4C6383F | sudo gpg --dearmour -o /usr/share/keyrings/digitalocean-agent.gpg
Note: The
A4C6383F
value comes from the last 8 characters of thepub
code from theapt-key list
output. -
Now we can update our apt source file
/etc/apt/sources.list.d/digitalocean-agent.list
), adding asigned-by
tag. Open it by:sudo -H gedit /etc/apt/sources.list.d/digitalocean-agent.list
and add the tag
[arch=amd64 signed-by=/usr/share/keyrings/digitalocean-agent.gpg]
just after thedeb
keyword and before the URL.I don't know the exact content of
digitalocean-agent.list
, but it should be eventually something similar to:deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] packages.microsoft.com/repos/edge stable main
-
Run
sudo apt update
to confirm the message is gone -
If the message is gone, remove the original signature:
sudo apt-key del A4C6383F
-
Repeat the steps for
cloudflare-main.list
, generating thecloudflare-main.gpg
key starting from8CACCBF8
key. -
Repeat the steps for
mysql.list
, generating themysql.gpg
key starting from5072E1F5
key.
Consider that the messages you have are only warnings: if something goes bad, restore the files as they are and keep the warnings, they are not harmful.
newcat1000
Updated on January 04, 2023Comments
-
newcat1000 over 1 year
I get 3 warnings after Ubuntu 22.04 update on a Digital Ocean LAMP stack droplet.
W: http://repo.mysql.com/apt/ubuntu/dists/bionic/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. W: https://repos.insights.digitalocean.com/apt/do-agent/dists/main/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. W: http://pkg.cloudflare.com/dists/trusty/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
How to move the keys to the right location and delete the old keys?
EDIT
sudo apt-key list
pub rsa2048 2016-02-17 [SC] 9FE3 B226 BD77 5196 D8C2 E599 DE88 104A A4C6 383F uid [ unknown] DigitalOcean Insights Engineering <[email protected]> sub rsa2048 2016-02-17 [E] pub rsa2048 2015-01-28 [SC] FBA8 C0EE 6361 7C5E ED69 5C43 254B 391D 8CAC CBF8 uid [ unknown] CloudFlare Software Packaging <[email protected]> pub dsa1024 2003-02-03 [SCA] [expired: 2022-02-16] A4A9 4068 76FC BD3C 4567 70C8 8C71 8D3B 5072 E1F5 uid [ expired] MySQL Release Engineering <[email protected]> pub rsa4096 2021-12-14 [SC] [expires: 2023-12-14] 859B E8D7 C586 F538 430B 19C2 467B 942D 3A79 BD29 uid [ unknown] MySQL Release Engineering <[email protected]> sub rsa4096 2021-12-14 [E] [expires: 2023-12-14] /etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg ------------------------------------------------- pub rsa4096 2016-11-02 [SC] 7BF5 7606 6ADA 6572 8FC7 E70A 8C47 BE8E 75BC A694 uid [ unknown] Launchpad PPA for certbot /etc/apt/trusted.gpg.d/ondrej-ubuntu-apache2.gpg ------------------------------------------------ pub rsa1024 2009-01-26 [SC] 14AA 40EC 0831 7567 56D7 F66C 4F4E A0AA E526 7A6C uid [ unknown] Launchpad PPA for Ondřej Surý /etc/apt/trusted.gpg.d/ondrej_ubuntu_php.gpg -------------------------------------------- pub rsa1024 2009-01-26 [SC] 14AA 40EC 0831 7567 56D7 F66C 4F4E A0AA E526 7A6C uid [ unknown] Launchpad PPA for Ondřej Surý /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg ------------------------------------------------------ pub rsa4096 2012-05-11 [SC] 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]> /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg ------------------------------------------------------ pub rsa4096 2018-09-17 [SC] F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>
ls -l /etc/apt/sources.list.d
-rw-r--r-- 1 root root 276 Apr 8 15:51 certbot-ubuntu-certbot-xenial.list -rw-r--r-- 1 root root 276 Apr 8 15:51 certbot-ubuntu-certbot-xenial.list.distUpgrade -rw-r--r-- 1 root root 274 Mar 13 2020 certbot-ubuntu-certbot-xenial.list.save -rw-r--r-- 1 root root 43 Apr 8 15:51 cloudflare-main.list -rw-r--r-- 1 root root 43 Apr 8 15:51 cloudflare-main.list.distUpgrade -rw-r--r-- 1 root root 43 Mar 13 2020 cloudflare-main.list.save -rw-r--r-- 1 root root 67 Apr 8 15:51 digitalocean-agent.list -rw-r--r-- 1 root root 67 Apr 8 15:51 digitalocean-agent.list.distUpgrade -rw-r--r-- 1 root root 67 Mar 13 2020 digitalocean-agent.list.save -rw-r--r-- 1 root root 501 Apr 8 15:51 mysql.list -rw-r--r-- 1 root root 501 Apr 8 15:51 mysql.list.distUpgrade -rw-r--r-- 1 root root 137 Apr 8 15:51 ondrej-ubuntu-apache2-hirsute.list -rw-r--r-- 1 root root 135 Apr 8 15:51 ondrej-ubuntu-apache2-hirsute.list.distUpgrade -rw-r--r-- 1 root root 123 Apr 8 15:51 ondrej-ubuntu-php-xenial.list -rw-r--r-- 1 root root 124 Apr 8 15:51 ondrej-ubuntu-php-xenial.list.distUpgrade -rw-r--r-- 1 root root 125 Apr 8 19:11 signal-xenial.list
-
Admin about 2 yearsYou should follow the indications in askubuntu.com/questions/1398344/… answer but customizing them for your three repos. If you edit your post with the output of
sudo apt-key list
andls -l /etc/apt/sources.list.d
, it is possible to provide an answer specific for your scenario.
-
-
Admin about 2 yearsNote: In my /etc/apt/sources.list.d/mysql.list there are 3 deb repositories and 1 deb-src repository. I added the [arch=amd64 signed-by=/usr/share/keyrings/mysql.gpg] in the deb-src repository.
-
Admin almost 2 yearsDo note that the "signed-by" repositories won't show up in the "Other Software" tab of the "Software & Updates" application any more afterwards.
-
Admin almost 2 yearsIndeed @Forage, it did disappear. Why is that and is there a way to prevent this ? I'd like to keep every PPA I added in the same place (or am I misunderstanding the goal of the "Other Software" tab ?)
-
Admin almost 2 years@AntoineLaffargue I can't exactly tell you why, but I assume the "Software & Updates" application simply can't deal with repositories that have the additional argument and needs to be modified in order to do so. Pretty awkward that deprecation warnings are already given without the whole software chain being able to deal with the recommended fix yet. For now you either accept those warnings, accept the lack of seeing the modified repositories or you place the keys in
/etc/apt/trusted.gpg.d/
without adding thesigned-by
argument. -
Admin almost 2 yearsPlease see my simplified answer here.