Skip to content
Latchkey

apt-key Command Reference: Usage, Deprecation & CI Examples

apt-key managed APT trusted keys; it is now deprecated in favor of keyrings.

apt-key added and listed the GPG keys APT uses to verify repositories. It is deprecated on modern Debian/Ubuntu in favor of per-repository keyrings referenced with signed-by.

Common flags and usage

  • apt-key add <file>: add a key (deprecated)
  • apt-key adv --keyserver ... --recv-keys: fetch a key (deprecated)
  • apt-key list / del: list or remove trusted keys
  • Modern replacement: write a keyring under /etc/apt/keyrings
  • Reference it with signed-by= in the .sources or .list entry

Example

shell
curl -fsSL https://example.com/repo.gpg \
  | gpg --dearmor -o /etc/apt/keyrings/example.gpg
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main" \
  > /etc/apt/sources.list.d/example.list

In CI

On recent images apt-key prints a deprecation warning and may be absent entirely. Prefer the signed-by keyring pattern above so a third-party repository keeps working when apt-key is removed.

Key takeaways

  • apt-key is deprecated; modern APT uses per-repo keyrings.
  • Dearmor the key into /etc/apt/keyrings and reference it with signed-by.
  • New CI images may not ship apt-key at all.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →