Note: While you see me talk a lot about Ubuntu in this topic, APT is actually a Debian utility. For that reason, this topic lives in the Debian category.
If you ever had to add a custom 3rd party repository to your APT configuration (like Docker, Kubernetes, Perforce), you’ve probably used
apt-key in the process. However, starting at Debian 11 and Ubuntu 20.10,
apt-key is now deprecated and it will no longer be available after Debian 11 and Ubuntu 22.04.
apt-keyis deprecated because it has a security weakness regarding key signing and trusting.
In this topic, I will show you the new way of adding 3rd party repositories to your APT configuration. Here’s an example of the old approach:
wget -qO - https://package.perforce.com/perforce.pubkey | sudo apt-key add - sudo echo "deb http://package.perforce.com/apt/ubuntu focal release" > /etc/apt/sources.list.d/perforce.list
You might also have done the second line manually using a text editor, like Jay did in his recent Kubernetes video.
The new way of adding keys is as follows:
wget -qO - https://package.perforce.com/perforce.pubkey | sudo gpg --dearmor -o /usr/share/keyrings/perforce-archive-keyring.gpg sudo echo "deb [signed-by=/usr/share/keyrings/perforce-archive-keyring.gpg] http://package.perforce.com/apt/ubuntu focal release" > /etc/apt/sources.list.d/perforce.list
So what’s new here? In the old approach, your key gets added to either
/etc/apt/trusted.gpg.d. As the name suggest, your key gets trusted, unconditionally, for every repository you have defined. This is bad, because if you add a 3rd party repository, it has the ability to replace packages from the official repositories.
The new approach puts your key inside its own file (in this case
perforce-archive-keyring.gpg) so that it will no longer be trusted by every repository by default.
The second change is the addition of
[signed-by=/usr/share/keyrings/perforce-archive-keyring.gpg] to your repository file. This indicates that this repository will only be trusted with the exact key you added a step earlier.
A couple of notes on the new approach:
- Make sure you have the
gnupgpackage installed so that you can use the
- If the public key you’re downloading is not armored, you will need to slightly modify the first line in the new approach, check out this article which goes more in depth.
That’s it, now you can just continue your usual steps by doing
sudo apt update and install your 3rd party programs! And remember, you can already start using this new approach, so you’re not forced to do it later when
apt-key is gone!