Commands to replace the deprecated `apt-key` script

apt-key is deprecated, however there is no replacement available, neither does the man page document how to replace the commands apt-key provides. Here is my attempt.

apt-key list

This commands lists all keys stored in /etc/apt/trusted.gpg and any .gpg or .asc files in /etc/apt/trusted.gpg.d.

for f in /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.{asc,gpg}; do
  gpg --list-keys --keyid-format short --no-default-keyring --keyring $f

apt-key adv

This command is used to download a key and store it in the “right” keyring. apt-key adv merges all keyrings into one, downloads the new key(s) and then merges back the changes. No need to replicate this setup.

Updating an expired key

If you’re updating an expired key, write it to the same keyring, replacing the expired key. To find any keyrings containing an expired key, run the following:

for f in /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.{asc,gpg}; do
  $(gpg --list-keys --no-default-keyring --keyring $f | fgrep -iq expired) && echo "Expired key in $f"

Once you’ve identified the keyring and key ID, download the new key:

sudo gpg --recv-keys --no-default-keyring --keyring /etc/apt/trusted.gpg.d/<FILENAME>.gpg --keyserver <KEY_ID>

Downloading a new key

When downloading a new key, create a new keyring in /etc/apt/trusted.gpg.d. Note that on recent versions of gpg, this keyring will be in “GPG keybox database version 1” format, which is incompatible with apt-key.

Choose a suitable filename for the new keyring and download the key:

sudo gpg --recv-keys --no-default-keyring --keyring /etc/apt/trusted.gpg.d/<FILENAME>.kbx --keyserver <KEY_ID>
About the author:

Site Reliability Engineer at Google in London, UK. Former Computational Scientist at ECMWF in Reading, UK. PhD from Imperial College. Public speaker. Feminist. Pythonista. Cyclist. Open source / open data enthusiast. Hobbyist photographer. PyData London co-founder.