How to fix - Warning: apt-key is deprecated (in Linux Mint 21 and Ubuntu 22.04)

[Qapla]

I am testing the Mint 21 Cinnamon beta. The apt-key warning appears, after a Private Package Archive (PPA) has been added, when running sudo apt update in a terminal or when doing Refresh in Update Manager. The warning can be ignored because the update is successful even though Update Manager shows it as an error. But apt-key will be removed in the next release of Ubuntu, so until the many PPA maintainers update their install process this warning will persist. (Linux Mint will continue to use Ubuntu 22.04 until Mint 22 in comes out in 2024.)

I do not want to see warnings/errors evertime I do an update/refresh. I added six PPAs to my system: LibreOffice, Gimp, Qbittorrent, MakeMKV, Veracrypt, Syncthing. Five of them generate the warning. So after much research I found the easiest way to fix it. It may look like a lot, but there are only three simple steps (per PPA).

If the PPA you use already has a [signed-by ...] parameter in its install instructions, you do NOT need to fix it. Syncthing uses the correct format without apt-key, so it is ready for the future.

First, get a list of the keys for all your installed PPAs. Open a terninal and run

Code: Select all

sudo apt-key list

Each PPA will be listed showing "pub rsa<some-number> <some-date>" then a second line with a 40 digit hexadecimal key fingerprint. Write down the last 8 digits of each fingerprint, like LibreOffice 1378B444, or Gimp 852541CB, etc. You can also get these keys graphically by opening Software Sources from the Mint Menu, and choosing Authentication Keys.

Then, extract the keys to a location out of the apt-key area. Some research suggests using /etc/apt/keyrings/, but the Debian structure on which Ubuntu is built recommends /usr/share/keyrings/ (and that is already being used by Syncthing). For each PPA you listed above, run:

Code: Select all

sudo apt-key export <8-digit-fingerprint-numbers-here!> | sudo gpg --dearmour -o /usr/share/keyrings/<product-name-here!>-archive.keyring.gpg

(without the < > characters, of course). For example, I ran

Code: Select all

sudo apt-key export 7CA69FC4 | sudo gpg --dearmour -o /usr/share/keyrings/qbittorrent-archive.keyring.gpg

Next, go into /etc/apt/sources.list.d and edit each of the PPA .list files. I used the file browser, right click, Open as Root, and just double clicked to open each file in Xed. In each file between deb and the url, add [signed-by=/usr/share/keyrings/<product-name-here!>-archive.keyring.gpg].

For example, in: qbittorrent-team-qbittorrent-stable-jammy.list I changed
deb http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main
to

Code: Select all

deb [signed-by=/usr/share/keyrings/qbittorrent-archive.keyring.gpg] http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main

When all the PPAs are [signed-by], optionally delete the keys from the apt-key area. This is not really necessary because the [signed-by] bypasses them, but I like cleaning obsolete entries. Open Software Sources from the Mint Menu, choose Authentication Keys, and delete the keys you just bypassed.

Finally, run sudo apt update and/or Refresh in Update Manager. The warnings should be gone.

Other researchers have listed ways of directly downloading keys into /usr/share/keyrings and hand entering PPA urls into sources.list.d, but that is skirting around what PPA maintainers have set up. Maintainers will have to adapt to the next Ubuntu, so I would rather just fix the current structure.

Some of the research I used:
https://askubuntu.com/questions/1286545 ... ed-apt-key
https://www.linuxuprising.com/2021/01/a ... o-add.html
https://www.techrepublic.com/article/ho ... in-ubuntu/

In many references you will see "How to solve the apt-key error the quick way" by copying the trusted.gpg file into the trusted.gpg.d. DO NOT DO THIS! The askubuntu reference above explains how this makes the security of your system even worse than it is with apt-key now.

[ronsmeyer]

Very helpful - Thank you for posting these instructions.

[shinmarwan]

damn i did trusted.gbg.g thing .
how do i reverse it ?

[Qapla]

damn i did trusted.gbg.g thing .

I hope there are a couple typos in what you wrote and you meant trusted.gpg.d. If not, I have no idea what you did.

First, you do not have to "reverse" it. It will work, but you are more exposed to UNtrusted PPAs. But if you only did a copy and not a move, then you can just RM (remove) what you copied, then do the individual [signed-by] as above. I wish you Qapla' !

[actaris]

Thank you: you made my headache go away

[danielmanqui]

A mi me funciono perfectamente para gns3 y grub-customizer, muchas gracias!

[stingray]

Thank you! I was having this issue with Skype. One thing to note, in the last step my .list said:

deb [arch=amd64] https://repo.skype.com/deb stable main

so the "signed-by" goes inside the same brackets, like:

Code: Select all

deb [arch=amd64 signed-by=/usr/share/keyrings/skype-archive.keyring.gpg] https://repo.skype.com/deb stable main

I hope that's right! It didn't work adding as a separate bracket.

[Qapla]

I hope that's right! It didn't work adding as a separate bracket.

Well, if it works it must be right. I had not run into an entry with preexisting brackets. Glad you figured it!

[colibris79]

deb http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main
to

Code: Select all

deb [signed-by=/usr/share/keyrings/qbittorrent-archive.keyring.gpg] http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main

How can I modify the .list file when it has the architecture in it?
For example:

Code: Select all

deb [arch=amd64] https:website.com

I've tried with the [signed-by] both before and after the [arch=amd64] but it will just show an error and nothing will update

EDIT: Ok, just had to paste the signed-by together with the arch.

Code: Select all

[arch=amd64 signed-by=/usr/share/keyrings/theprogram-archive.keyring.gpg]

[karlchen]

<mod>
Split off a support question from the tutorial thread. Sevin's question can be found here: viewtopic.php?f=90&t=384536
</Mod>

[Nightwing]

Well, i gave this Tutorial another chance, cause in the past I had errors.
I'm using Mint 21 CInnamon.
If i only edit the *.list file after the deb entry with [signed-by=...], I'll get this error: Conflicting values set for option Signed-By regarding source,
but if I'll edit both, the deb and deb-src, then it works nicely.
That's weird, feeling not right about it, any suggestions?

Here's an example:

Code: Select all

deb [signed-by=/usr/share/keyrings/name-of-ppa-keyring.gpg] http://ppa.launchpad.net/name-of/ppa/ubuntu jammy main
deb-src [signed-by=/usr/share/keyrings/name-of-ppa-keyring.gpg] http://ppa.launchpad.net/name-of/ppa/ubuntu jammy main

To convert the keys, I just deleted my 5 ppa's, added it new and using this code:

Code: Select all

sudo gpg --no-default-keyring --keyring /usr/share/keyrings/name-of-ppa-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys XXXXXXXXXXXFINGERPRINT-CODEXXXXXXXXXXXX

After that I deleted the old key (sudo apt-key list | sudo apt-key del XXXXXXXX)

Thanks for any suggestions,

ToM

[T-C-R]

a really useful HOWTO, thanks for sharing.
All my warnings have gone, great.
One glitch that I have discovered: In the GUI for "Softwaresources" under "PPA" the entries in the list are showing totally different content compared to the elements that I haven't touched (but disabled to avoid the warnings.
The header is saying "[signed-by=/usr/share/keyring/scribus-archive.keyring.gpg]" where there was simply "scribus ..." before.

Not really more than a cosmetic problem, since everything seems to work out fine, but I wonder why is this?

[Nightwing]

Hello T-C-R,

that's right, but like you said: just cosmetic. You can't either klick on open in the GUI, but when you search in synaptic, you'll find other programs from the ppa, so i think it's okay for a while (=til it gets fixed nicely)
Getting rid of the annoying messages and warnings is worth the cosmetic GUI bug...

ToM

[T-C-R]

Hi Nightwing,
absolutely, that´s a real minor thing to accept compared to being exposed to the warnings all the time, and to support a discouraged method which is security related longer than you should.
I´m happy with the result, waiting for the final fix is not really a challenge.
Thanks!

[j4m13s]

Hi,

You can read the tutorial here https://www.omgubuntu.co.uk/2022/06/fix ... -on-ubuntu
Hope it can help your problem.

Jemmy Surya,

[Spiderspoon]

Next, go into /etc/apt/sources.list.d and edit each of the PPA .list files. I used the file browser, right click, Open as Root, and just double clicked to open each file in Xed. In each file between deb and the url, add [signed-by=/usr/share/keyrings/<product-name-here!>-archive.keyring.gpg].

For example, in: qbittorrent-team-qbittorrent-stable-jammy.list I changed
deb http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main
to

Code: Select all

deb [signed-by=/usr/share/keyrings/qbittorrent-archive.keyring.gpg] http://ppa.launchpad.net/qbittorrent-team/qbittorrent-stable/ubuntu jammy main

In my /etc/apt/sources.list.d I have 2 files. I am interested in the file

Code: Select all

/etc/apt/sources.list.d/danielrichter2007-grub-customizer-jammy.list

. The code inside this file is

Code: Select all

deb http://ppa.launchpad.net/danielrichter2007/grub-customizer/ubuntu jammy main
# deb-src http://ppa.launchpad.net/danielrichter2007/grub-customizer/ubuntu jammy main

For qbittorent, it seems that is all you had to type for the <product name here>. Can I just type grub-customizer for the product name?

The other file is not causing any issues for me. Can I just do your recommended routine just for grub-customizer?

Why am I doing this? Please refer to viewtopic.php?f=47&t=386406&p=2264990#p2264990

My error or warning is

Code: Select all

! An error occurred
The following details are provided:
W: http://ppa.launchpad.net/danielrichter2007/grub-customizer/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

[Spiderspoon]

I just did an update using Update Manager. There were 2 items there, so I did that. No problems. So then I did a refresh in Update Manager. This once again brought the error message shown above. I don't think it's really much of a problem, just annoying.

[Spiderspoon]

I did it and it worked this time. Thanks.

[deepakdeshp]

Please mark solved as per my signature.

[SMG]

Please mark solved as per my signature.

This is a tutorial. We do not mark Tutorials solved.