Ubuntu – How to add repo gpg keys as apt-key is deprecated

aptgnupgpparepositoryupdates

After one of my recent updates, I noticed that my 3rd party repos were failing to update due to the NO_PUBKEY error from apt. I looked for hours to find a fix, but all fixes suggest using apt-key. However, that no longer works because it has been deprecated. So I manually copied one repo's keys from /usr/share/keyrings to /etc/apt/trusted.gpg.d as a test and that seems to work. Now everything works for that app.

My question is: is there a new function to download keys from a keyserver instead of the apt-key function? Most sites have not realized this change and offer the apt-key command for their repo keys and that just returns errors now. And how to update my current third party repo keys as only they have the problem? Should I manually cp the keys as I mentioned above, or is there a more efficient solution?

EDIT: I am on 20.10. Apt-key works for 20.04 but not after that.

$ sudo apt update
Err:9 http://repo.vivaldi.com/stable/deb stable Release.gpg
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://repo.vivaldi.com/stable/deb stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Failed to fetch http://repo.vivaldi.com/stable/deb/dists/stable/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9658E8044A3AA3D6
W: Some index files failed to download. They have been ignored, or old ones used instead.

Best Answer

apt-key never downloaded keys by itself. apt-key adv passed on options to gpg, and gpg did the actual downloading (apt-key is a complicated shell script that itself creates temporary scripts to run gpg). You can still use gpg to import keys, e.g. instead of apt-key adv --recv-keys, you'd do something like:

sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/foo.gpg --recv-keys 9658E8044A3AA3D6

Or instead of wget ... | apt-key add -:

wget -qO - https://example.com/somekey.gpg |
  sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/example.gpg --import -

Notes:

  1. GnuPG will create trust stores in root's home directory. Use --homedir with some other part if you want to avoid that.
  2. GnuPG creates keyrings in the new keybox format by default, and these don't work with apt, but using the gnupg-ring: prefix makes it uses the old format for some reason.

If your software already had keyrings installed in /usr/share/keyrings, then presumably their sources.list entries should have had something like [signed-by=/usr/share/keyrings/foo.gpg] (cf. the Debian Wiki).

Related Question