apt-key Deprecation: Migrate to signed-by Keyrings
apt-key is deprecated; store each repository key in its own file under /etc/apt/keyrings and reference it with signed-by in the source line.
Old guides pipe a key into apt-key add, which now prints a deprecation warning and is removed on newer systems. The signed-by pattern is the supported replacement.
What it does
apt-key managed a single global keyring that any repo could be signed by, which is a security weakness. The modern approach stores each vendor key in its own file and binds it to that vendor's source line with [signed-by=...], so a key only signs its own repo.
Deprecated pattern (avoid)
# deprecated: warns "apt-key is deprecated" and fails on newer OS
curl -fsSL https://example.com/key.gpg | apt-key add -Modern replacement
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://example.com/key.gpg \
| gpg --dearmor -o /etc/apt/keyrings/example.gpg
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] https://example.com/apt stable main" \
> /etc/apt/sources.list.d/example.list
apt-get updateOptions
| Piece | What it does |
|---|---|
| gpg --dearmor | Convert an ASCII-armored key to binary for the keyring |
| /etc/apt/keyrings/<name>.gpg | The per-repo key file location |
| [signed-by=<path>] | Bind the source line to that one key file |
| apt-key add (deprecated) | Legacy global keyring, do not use |
In CI
Use the signed-by pattern in Dockerfiles and pipeline scripts; apt-key add emits warnings today and is absent on newer images, which breaks builds silently. Store keys under /etc/apt/keyrings and dearmor ASCII keys so apt can read them.
Common errors in CI
"Warning: apt-key is deprecated" is the deprecation notice; migrate to signed-by. "The following signatures couldn't be verified because the public key is not available: NO_PUBKEY <id>" after removing apt-key means the source line lacks signed-by pointing at the imported key. "GPG error ... at least one invalid signature was encountered" often means the key was not dearmored.