Skip to content
Latchkey

apt-key (deprecated): Usage & the Modern Replacement

apt-key added trusted GPG keys, but it is deprecated - use per-repo keyrings instead.

apt-key add was the old way to trust a repository signing key. It is deprecated since apt 2.2 and removed in newer Debian/Ubuntu, so CI scripts that still call it now warn or fail. The modern approach is a per-source signed-by keyring.

What it does

apt-key managed the global APT trusted-keys store (/etc/apt/trusted.gpg). The problem it had was that any key in that store could sign any repository, which is a security weakness - hence its deprecation in favor of pinning a specific key file to a specific source via the signed-by option.

Common usage

Terminal
# DEPRECATED (warns, removed on newer releases):
# curl -fsSL https://example.com/key.gpg | apt-key add -

# Modern replacement:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://example.com/key.gpg | gpg --dearmor -o /etc/apt/keyrings/example.gpg
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main" \
  > /etc/apt/sources.list.d/example.list
apt-get update

Common errors in CI

"Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead" - harmless on older images but the command is gone entirely on newer ones ("apt-key: command not found"). If you skip the migration you eventually get "NO_PUBKEY" on apt-get update. The fix is the signed-by keyring shown above; store the dearmored key under /etc/apt/keyrings and reference it in the source line.

Options

ItemWhat it does
add - (deprecated)Old: add a key from stdin to the global store
gpg --dearmorConvert an ASCII-armored key to a keyring file
signed-by=<path>Pin a source to one specific key (modern)
/etc/apt/keyrings/Recommended location for per-repo keys

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →