what to do about apt-key deprecation?

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
User avatar
antiwesley
Level 1
Level 1
Posts: 11
Joined: Thu Feb 13, 2020 1:27 am
Location: Behind the Cheddar Curtain

what to do about apt-key deprecation?

Post by antiwesley »

What is going to happen with the apt-key situation?
This is more of a broad question, as it's part of the builds and the apt system on most Ubuntu-based systems I've seen.

Code: Select all

W: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
for example.

I've seen workarounds, and many suggestions that just simply don't work.
(moving the legacy keyring from /etc/apt/trusted.gpg into /etc/apt/trusted.gpg.d)
The system then doesn't see the keyring anymore, and it will not even download the updates to begin with for those files.

This is kind of important, as mesarc, from it's PPA is still using the apt-key-add function when it adds the PPA into the system.
For me, mesarc, Plex and Yandex.disk are the only ones that aren't storing in /et/apt/trusted.gpg.d.
Even when I import the key through either software sources, or manually on the prompt, is still sends it to /etc/apt/trusted.gpg!

Help!
Last edited by LockBot on Wed May 03, 2023 10:00 pm, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
"What worries me is that it's a little like a dream that I shall shortly, but unpleasantly awake. "
User avatar
SMG
Level 25
Level 25
Posts: 31307
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: what to do about apt-key depredation?

Post by SMG »

antiwesley wrote: Wed Nov 02, 2022 10:53 pmThis is kind of important, as mesarc, from it's PPA is still using the apt-key-add function when it adds the PPA into the system.
For me, mesarc, Plex and Yandex.disk are the only ones that aren't storing in /et/apt/trusted.gpg.d.
Even when I import the key through either software sources, or manually on the prompt, is still sends it to /etc/apt/trusted.gpg!
Please see this tutorial How to fix - Warning: apt-key is deprecated (in Linux Mint 21 and Ubuntu 22.04).
Image
A woman typing on a laptop with LM20.3 Cinnamon.
User avatar
antiwesley
Level 1
Level 1
Posts: 11
Joined: Thu Feb 13, 2020 1:27 am
Location: Behind the Cheddar Curtain

Re: what to do about apt-key depredation?

Post by antiwesley »

So. Following that suggestion:

Code: Select all

sudo apt-key export 9B2235DD | sudo gpg --dearmour -o /usr/share/keyrings/mesarc-archive.keyring.gpg
Then adding:

Code: Select all

deb [signed-by=/usr/share/keyrings/mesarc-archive.keyring.gpg] https://ppa.launchpad.net/ernstp/mesarc/ubuntu/dists/jammy/InRelease
to /etc/apt/sources.list.d brings me to:

Code: Select all

apt update
E: Malformed entry 1 in list file /etc/apt/sources.list.d/ernstp-mesarc-jammy.list (Suite)
E: The list of sources could not be read.
ALSO:

Code: Select all

udo apt-key export 7C90E5AF | sudo gpg --dearmour -o /usr/share/keyrings/yandexdisk-archive.keyring.gpg
deb [signed-by=/usr/share/keyrings/yandexdisk-archive.keyring.gpg] http://repo.yandex.ru/yandex-disk/deb/dists/stable/InRelease
Merits:
E: Malformed entry 1 in list file /etc/apt/sources.list.d/yandex.disk.list (Suite)

The above lines is the ONLY lines of code in their respective .list files. The exact same lines, only with the plex information filled in just worked fine.
The link does work in the browset, so the method suggested DOESN'T work for me for these two PPA/repo.

I've been working on this for two weeks, using the entire Internet to solve this, but every link I've followed DOESN'T fix this. So outside of Plex, the tutorial was pretty much useless, which leads me to believe that this shouldn't wait for the next iteration of mint.
"What worries me is that it's a little like a dream that I shall shortly, but unpleasantly awake. "
User avatar
antiwesley
Level 1
Level 1
Posts: 11
Joined: Thu Feb 13, 2020 1:27 am
Location: Behind the Cheddar Curtain

Re: what to do about apt-key depredation?

Post by antiwesley »

And as an interesting note: I searched apt-key from the main page, and there weren't any results.
Sorry for my crankiness on this, but as I've said, I've been trying to fix this for two weeks now.
I've manually added the keys, so they give me the warning, but still downloads the updates.
"What worries me is that it's a little like a dream that I shall shortly, but unpleasantly awake. "
User avatar
spamegg
Level 13
Level 13
Posts: 4857
Joined: Mon Oct 28, 2019 2:34 am
Contact:

Re: what to do about apt-key depredation?

Post by spamegg »

The syntax you used is wrong.

You did:

Code: Select all

deb [signed-by=/usr/share/keyrings/mesarc-archive.keyring.gpg] https://ppa.launchpad.net/ernstp/mesarc/ubuntu/dists/jammy/InRelease
It should be:

Code: Select all

deb [signed-by=/usr/share/keyrings/mesarc-archive.keyring.gpg] https://ppa.launchpadcontent.net/ernstp/mesarc/ubuntu jammy main
It tells you how to do it on the PPA website:
Screenshot from 2022-11-03 10-06-04.png
User avatar
SMG
Level 25
Level 25
Posts: 31307
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: what to do about apt-key deprecation?

Post by SMG »

antiwesley wrote: Thu Nov 03, 2022 12:08 am... which leads me to believe that this shouldn't wait for the next iteration of mint.
This is not an issue with Linux Mint. This is an issue with the PPAs you are using.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
User avatar
Qapla
Level 2
Level 2
Posts: 73
Joined: Tue Sep 14, 2021 5:35 pm
Location: San Francisco, 6,437 meters SouthEast of the future home of Starfleet Academy

Re: what to do about apt-key deprecation?

Post by Qapla »

antiwesley wrote: Wed Nov 02, 2022 10:53 pm What is going to happen with the apt-key situation?
As I said in the tutorial, it is entirely up to the PPA managers to make changes to their structures. If the apt-key support is removed in Ubuntu 23 as planned, the unchanged PPAs simply will not work. It is not a Mint issue. Linux Mint will not be affected until 2024 when Mint 22 is built on the Ubuntu 24.04 base.
Qapla' - Success! (Klingon salutation on departure to battle)
User avatar
Termy
Level 12
Level 12
Posts: 4254
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: what to do about apt-key deprecation?

Post by Termy »

I'm glad this thread came up, as I'm also very concerned about this, and a little frustrated! Quite often, these deprecated tools remain in the repositories for many years to come, so I do expect to use apt-key(8) as a separate package, which we, if we so choose, can install. I wish they had just fixed apt-key(8) or replaced it with a similar tool, rather than outright ditching it and screwing everyone over! It especially hurts the Ubuntu and Ubuntu-like crowd such as the Linux Mint users. Poor decision on Debian's part, IMO. Also, if the security issue was so bad that they were willing to make this mess, then why was it ignored for years on end?
I'm also Terminalforlife on GitHub.
User avatar
antiwesley
Level 1
Level 1
Posts: 11
Joined: Thu Feb 13, 2020 1:27 am
Location: Behind the Cheddar Curtain

Re: what to do about apt-key deprecation?

Post by antiwesley »

Termy wrote: Sat Nov 05, 2022 2:08 pm I'm glad this thread came up, as I'm also very concerned about this, and a little frustrated! Quite often, these deprecated tools remain in the repositories for many years to come, so I do expect to use apt-key(8) as a separate package, which we, if we so choose, can install. I wish they had just fixed apt-key(8) or replaced it with a similar tool, rather than outright ditching it and screwing everyone over! It especially hurts the Ubuntu and Ubuntu-like crowd such as the Linux Mint users. Poor decision on Debian's part, IMO. Also, if the security issue was so bad that they were willing to make this mess, then why was it ignored for years on end?
I guess in my OP I should have asked the question slightly differently, but you make a point. Why can't Mint take ownership and create a working fix that can be integrated into the kernel to fix it in the first place? I thought the whole point of the OS movement and the openness of the kernel was to have things like this taken care of by someone who can?
"What worries me is that it's a little like a dream that I shall shortly, but unpleasantly awake. "
User avatar
SMG
Level 25
Level 25
Posts: 31307
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: what to do about apt-key deprecation?

Post by SMG »

antiwesley wrote: Thu Dec 01, 2022 8:42 pmWhy can't Mint take ownership and create a working fix that can be integrated into the kernel to fix it in the first place?
You are adding software not related to the operating system. That is the cause of the warning message you had. How is Mint supposed to "take ownership" of some unknown software?

Most PPAs say right at the top they are "untrusted" which means they are making clear you are taking a risk by using them. That is a risk you decide to take. Linux Mint is not involved in that decision; only you are.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
billyswong
Level 8
Level 8
Posts: 2031
Joined: Wed Aug 14, 2019 1:02 am

Re: what to do about apt-key deprecation?

Post by billyswong »

SMG wrote: Thu Dec 01, 2022 8:57 pm You are adding software not related to the operating system. That is the cause of the warning message you had. How is Mint supposed to "take ownership" of some unknown software?

Most PPAs say right at the top they are "untrusted" which means they are making clear you are taking a risk by using them. That is a risk you decide to take. Linux Mint is not involved in that decision; only you are.
I am not manually editing apt keys added by PPA automatically. I am waiting for the "Software Sources" GUI tool to update their PPA handling. Since Linux Mint created a GUI tool that can handle PPA, I believe they will update the handling code eventually, and likely before the deprecation becomes a hard ban. Meanwhile, those CLI commands are maintained by Debian and I expect they should fix them before hard ban too.
User avatar
Termy
Level 12
Level 12
Posts: 4254
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: what to do about apt-key deprecation?

Post by Termy »

antiwesley wrote: Thu Dec 01, 2022 8:42 pm Why can't Mint take ownership and create a working fix that can be integrated into the kernel to fix it in the first place? I thought the whole point of the OS movement and the openness of the kernel was to have things like this taken care of by someone who can?
It's not up to Linux Mint to make those changes, it's up to the Debian team, or specifically, whomever is assigned to APT. Anyone can provide a pull request to the GitHUb repository, or wherever APT's development happens, but it's ultimately down to those in control whether and how that's accepted and merged. Linux Mint did not develop APT or any of the standard core package management tools, and all that stuff is essentially dealt with upstream (IE: Debian/Ubuntu). Yes, I think you're right in your final statement, but it's not so black and white, sadly. There are procedures, rightfully so.

AFAIK, this issue has nothing to do with the kernel, but is more simply down to key management, which is at the user level.

Technically, Linux Mint could develop their own tool similar to the deprecated apt-key(8), and indeed anyone could, but it's development time put to something that would (and frankly should) only wind up as a temporary fix until Debian addresses this issue properly, with such a tool. Due to the release cycles of Debian and Ubuntu (thus Linux Mint), this could take some time. If you're talking about GUIs like Software Sources, then yes, I suppose Linux Mint could incorporate their own solution, again, until a permanent one is put together by Debian. I'm assuming it currently makes or used to make use of apt-key(8), under the hood.

It goes far beyond just Linux Mint, though.
I'm also Terminalforlife on GitHub.
User avatar
spamegg
Level 13
Level 13
Posts: 4857
Joined: Mon Oct 28, 2019 2:34 am
Contact:

Re: what to do about apt-key deprecation?

Post by spamegg »

To add to what Termy said, this isn't even an "issue" in my opinion. Deprecation is common, especially in the free/open source Linux world. People are given warnings usually years in advance before something is abandoned completely. This is fairly common practice. For example, Python 2 was deprecated in 2008, and officially abandoned in 2020. They gave people 12 years to transition to Python 3. Ubuntu 20.04 (which came out in 2020) was the first LTS to ditch Python 2 completely. They waited all the way to the end of the period to complete Ubuntu's transition.

It's actually possible to ignore the warning and keep using it in the deprecated way. It's just giving people time to move on to the new way of using it. Surely it would have been much worse if it was enforced one day suddenly, and all your repositories stopped working and repository owners (and you) were forced to switch in a big mess.
User avatar
Termy
Level 12
Level 12
Posts: 4254
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: what to do about apt-key deprecation?

Post by Termy »

spamegg wrote: Sat Dec 03, 2022 5:08 am Deprecation is common, especially in the free/open source Linux world.
I second that. I've been using Linux for just over a decade and have throughout seen a lot of deprecation of features and tools.
spamegg wrote: Sat Dec 03, 2022 5:08 am It's actually possible to ignore the warning and keep using it in the deprecated way.
I didn't realise you could continue using apt-key(8) in the usual way without any problems, because it sounded like it was causing a lot of problems for people now, hence all the surfacing posts about it on these forums. Perhaps I'm misinterpreting the situation. Hopefully, by the time apt-key(8) is actually ditched, there's something to ditch it in favor of.

I do still think it's a problem, but if the above is truly the case, it's perhaps not as much of an issue as I'd been led to believe.

The reason I still think it's a problem, is precisely because of all the confusion it has caused. Key management in Linux can already be quite confusing, as can package management, so it appears to have really put a spanner in the works. The warnings seem to be constantly directly telling people to research this issue, leading to FUD and confusion. I feel like this could have been handled so much better by addressing the security issue of apt-key(8) or writing an appropriate replacement, before declaring the existing tool deprecated.

Frankly, at least IMO, this should have been addressed a long time ago, as I hear this deprecation was declared quite a while back.
I'm also Terminalforlife on GitHub.
Olaf2020

Re: what to do about apt-key deprecation?

Post by Olaf2020 »

you can keep the warning, the programs install anyway, or you can remove the warning

Code: Select all

cd /etc/apt && sudo cp trusted.gpg trusted.gpg.d
User avatar
zcot
Level 9
Level 9
Posts: 2795
Joined: Wed Oct 19, 2016 6:08 pm

Re: what to do about apt-key deprecation?

Post by zcot »

Olaf2020 wrote: Sat Dec 03, 2022 9:31 am you can keep the warning, the programs install anyway, or you can remove the warning

Code: Select all

cd /etc/apt && sudo cp trusted.gpg trusted.gpg.d
No. Please do not suggest that.

Qapla reiterated this point in the tutorial( viewtopic.php?f=42&t=377591 ) and emphatically warned against doing that. The reason is shown in the askubuntu thread ( https://askubuntu.com/questions/1286545 ... ed-apt-key ) and if you ignore it then it makes security worse, now you have 2 places for a malicious package to use as an injection point. As the toolchain is further developed and the setup is completed, will it go and fix the extra copies that have been made? Will you manually go digging deep into this fileset next year and fix it? It seems like a disaster point on that alone.

This is quoted from the askubuntu thread(I put red markings on part of the text so we do not actually have to read-to-understand for the real problem and solution):
https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key wrote:The problem is not a question of appending a key to one big keyring file /etc/apt/trusted.gpg vs manually putting single-key keyring files into the directory /etc/apt/trusted.gpg.d/. These two things are equivalent, and doing either one is a huge security risk.

The problem is that any key you add to either of the above is completely and unconditionally trusted by apt. This means that when installing any package from any repo (including the official distro repos), apt will happily accept the package being signed by any of those trusted keys (whether the key belongs to the repository the package is coming from or not). This weakens the assurance provided by the package signing mechanism against malicous packages being injected into the official Ubuntu mirrors network.

What we want to do instead is configure apt to accept signatures from a third-party repository only on packages being installed from that repository — no cross-signing.

You are better off to do nothing, the program will install and you will keep the warning, -than to use this rogue action which does not actually address the problem but only masks the warning, and places potential filesystem security issues in place.
User avatar
MiZoG
Level 8
Level 8
Posts: 2217
Joined: Fri Jan 26, 2018 8:30 pm
Location: Athens, Greece

Re: what to do about apt-key deprecation?

Post by MiZoG »

Importing keys for PPAs is automated. You just get a prompt to "agree or cancel". The command "sudo add-apt-repository" connects to Ubuntu's keyserver, automatically downloads the key and adds it the old-way to /etc/apt/trusted.gpg. Then "apt" complains that "apt-key" is deprecated and end-users are asked to do some magical tricks in the command-line to get rid of the warnings.
C'mon, it is Ubuntu's responsibility to update their scripts (add-apt-repository), infrastructures (launchpad) and set a deadline to third-party repo admins that use this infrastructure to conform with the new method of authentication.
The whole process should be streamlined, normalized and easily accomplished with the help of GUI tools.
User avatar
Qapla
Level 2
Level 2
Posts: 73
Joined: Tue Sep 14, 2021 5:35 pm
Location: San Francisco, 6,437 meters SouthEast of the future home of Starfleet Academy

Re: what to do about apt-key deprecation?

Post by Qapla »

What he said!
(Thank you zcot.)

What I said: DON'T DO THIS
I am on the forum only once a week or I might have said the same, although more simply:

Copying the trusted ring is like leaving a wrapped present on the seat of your car then locking the car with all the windows open. Do you REALLY trust everyone who walks by?
Qapla' - Success! (Klingon salutation on departure to battle)
User avatar
zcot
Level 9
Level 9
Posts: 2795
Joined: Wed Oct 19, 2016 6:08 pm

Re: what to do about apt-key deprecation?

Post by zcot »

MiZoG wrote: Sat Dec 03, 2022 2:06 pm Importing keys for PPAs is automated. You just get a prompt to "agree or cancel". The command "sudo add-apt-repository" connects to Ubuntu's keyserver, automatically downloads the key and adds it the old-way to /etc/apt/trusted.gpg. Then "apt" complains that "apt-key" is deprecated and end-users are asked to do some magical tricks in the command-line to get rid of the warnings.
C'mon, it is Ubuntu's responsibility to update their scripts (add-apt-repository), infrastructures (launchpad) and set a deadline to third-party repo admins that use this infrastructure to conform with the new method of authentication.
The whole process should be streamlined, normalized and easily accomplished with the help of GUI tools.
I agree. But of course that can not happen overnight.

Actually that is in the works right now. And in the end it will be simple, seamless, and we do not even have to think about it, "it just works".

A great solution right now, is to just read the warning, and then move on, do not do anything. :wink:
Locked

Return to “Beginner Questions”