apt-key (deprecated): Usage & the Modern Replacement
apt-key added trusted GPG keys, but it is deprecated - use per-repo keyrings instead.
apt-key add was the old way to trust a repository signing key. It is deprecated since apt 2.2 and removed in newer Debian/Ubuntu, so CI scripts that still call it now warn or fail. The modern approach is a per-source signed-by keyring.
What it does
apt-key managed the global APT trusted-keys store (/etc/apt/trusted.gpg). The problem it had was that any key in that store could sign any repository, which is a security weakness - hence its deprecation in favor of pinning a specific key file to a specific source via the signed-by option.
Common usage
# DEPRECATED (warns, removed on newer releases):
# curl -fsSL https://example.com/key.gpg | apt-key add -
# Modern replacement:
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://example.com/key.gpg | gpg --dearmor -o /etc/apt/keyrings/example.gpg
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main" \
> /etc/apt/sources.list.d/example.list
apt-get updateCommon errors in CI
"Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead" - harmless on older images but the command is gone entirely on newer ones ("apt-key: command not found"). If you skip the migration you eventually get "NO_PUBKEY" on apt-get update. The fix is the signed-by keyring shown above; store the dearmored key under /etc/apt/keyrings and reference it in the source line.
Options
| Item | What it does |
|---|---|
| add - (deprecated) | Old: add a key from stdin to the global store |
| gpg --dearmor | Convert an ASCII-armored key to a keyring file |
| signed-by=<path> | Pin a source to one specific key (modern) |
| /etc/apt/keyrings/ | Recommended location for per-repo keys |