Apt-key deprecation (with workaround)

finotti · April 12, 2022, 4:55am

apt-key is deprecated on Debian, and I now get

W: http://apt.insync.io/debian/dists/buster/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

when running apt update.

Now we are supposed to download the signature file, add it to a local directory, and point to the correspond signature file in the sources.list entry. (See, for instance, this post.)

Is there a way to get the signature file?

bayindirh · February 27, 2022, 11:25am

Just move the /etc/apt/trusted.gpg file to /etc/apt/trusted.gpg.d/ folder, and the warning will go away.

Literally did it 5 minutes ago myself.

mia · February 28, 2022, 4:41am

Thank you for the assist, as always, @bayindirh

Checking with our Linux team how we can address this more permanently! cc @finotti

finotti · February 28, 2022, 4:38pm

Indeed, I think we need a more permanent solution.

Although @bayindirh suggestion should work (thanks for pointing it out!), it is not the recommended way to deal with keys moving forward, if I understand it correctly.

Keys in /etc/apt/trusted.gpgp.d should also be moved to another location (it seems that /usr/local/share/keyrings is a common suggestion), with one file for each repository, and the corresponding key file added to each corresponding list file in /etc/apt/sources.list.d.

For now, here is something I believe could be done to set it up properly:

Use apt-key list to find all entries in /etc/apt/trusted.gpg.
Make a copy of this file (in the new directory for the keyrings) for each one of the entries. Name accordingly, like insync.gpg for the InSync keyring.
For each one of these files, remove all other entries but the one for it using apt-key del. This leaves only the one key for the particular repository.
For each of these new key files, add the correspond keyring to the sources list file for the corresponding repository.

Right now, for me at least, only InSync has no file already provided. (If all your sources provide with their corresponding key file, you can just delete trusted.gpg and add the new files to the new keyring directory.)

mia · March 1, 2022, 4:24am

Thank you for the very detailed workaround, @finotti!

Our engineer has lined up a fix for this issue, and will be deployed in a future build. Thank you both for reporting this!

Danilo_Arantes · April 11, 2022, 11:48pm

I don’t know if this is the right way, but I used the following to solve my problem:

1º

gpg --keyserver keyserver.ubuntu.com --recv-keys ACCAF35C

2º Export gpg key

gpg --output insync.gpg --export ACCAF35C

3º Copy the key to right directory

sudo cp insync.gpg /usr/share/keyrings/

4º Adjust repository on sources.list

deb [signed-by=/usr/share/keyrings/insync.gpg arch=amd64] http://apt.insync.io/debian bookworm  non-free contrib

5º Update repository

sudo apt update

mia · April 12, 2022, 4:55am

Hey @Danilo_Arantes! I appreciate you for sharing the workaround for this issue! Let me send this to our engineer for reference while we continue working on the more permanent fix.

mia · April 13, 2022, 3:10am

Hey everyone! Could you please update to 3.7.5, in case you haven’t? Our engineer has confirmed that this is fixed in the latest version.

Please download the latest version here: https://www.insynchq.com/downloads. You may also fetch the update via the repositories.

Thank you!

Gelson_Castro · April 29, 2022, 1:03am

Thank you very much, I spent time trying several things and here’s the solution.

jarodlau · July 13, 2022, 6:29am

it’s awesome! @bayindirh

Waibi_Andrew_Frankli · August 7, 2022, 12:15am

Thanks, thi s has really been helpdul