Move keys from legacy trusted.gpg to usr/share/keyrings for Ubuntu sources as well

Joey

10/20/23, 11:02 AM

After warnings about apt-key becoming deprecated and conscientious study on signing files, OpenPgp standard, gpg tool etc. (I'm new to Linux and learning) I've managed to move all my public keys from etc/apt/trusted.d folder to usr/share/keyrings separate files and add [signed-by...] to ppa sources in souces.list.d.

However now I'm trying to do the same for Ubuntu repositories in sources.list file. I've exported listed keys from trusted.gpg file and added [signed-by..] param. Then I deleted trusted.gpg file. The moved key files are in ascii-dearmoured/binary gpg format.

deb [signed-by=/usr/share/keyrings/Ubuntu-moved-keyring.gpg] http://archive.ubuntu.com/ubuntu jammy main restricted

But when I run apt update I get an error

E: Conflicting values set for option Signed-By regarding source http://archive.ubuntu.com/ubuntu/ jammy: ...

Using Ubuntu system tools I restored defaults and so got the trusted.gpg file back but I'm back to square one - apt update complains about the legacy way keys are stored:

1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

I'm stuck. My understanding is that actually this does not pose any threat of cross-signing sources with another publisher's compromised key since my trusted.gpg file contains only Ubuntu keys but still I'd like to sort the issue.

1339

1 + 3

apt

gnupg

keys

Artur Meinild

10/20/23, 11:07 AM

I don't believe this is necessary for the Ubuntu keys. The point is, that the Ubuntu keys are in fact trusted, and they should already be under `/etc/apt/trusted.gpg.d`. It's only keys from 3rd party sources that should be moved to `/usr/share/keyrings` and added to repos with a `signed-by` clause. At least this is how I've done it.

Joey

10/20/23, 11:09 AM

thanks for confirmation - that's what I thought (last paragraph). Can I actually leave them in default location, ie trusted.gpg file and not trusted.gpg.d folder?

Artur Meinild

10/20/23, 11:13 AM

I think the latest apt would very much like you to put the keys in `/etc/apt/trusted.gpg.d`. I have two files in there on Ubuntu 22.04.

Score:1

Ubuntu

Artur Meinild

10/20/23, 11:26 AM

The "hacky" way of solving this is to run:

mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/

This should satisfy apt. The more correct way would be to get the official Ubuntu keyfiles again - but I'm actually not aware of the correct procedure for this.

Also see this thread.

+ 1

Joey

10/20/23, 2:35 PM

thanks! Looks like worth trying as in trusted.gpg I have only Ubuntu repos keys. However with 3rd party repos I think it wouldn't change much to the overall security since I remember reading on a few pages that trusted.gpg.d and trusted.gpg file are trusted globally on every repo added to the system..

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Move keys from legacy trusted.gpg to usr/share/keyrings for Ubuntu sources as well

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.