Skip to content
Latchkey

gpg --dearmor and the apt signed-by Keyring

gpg --dearmor turns an ASCII-armored repository key into the binary keyring file that apt signed-by references.

apt-key is deprecated, and the modern way to add a third-party repo key is a dedicated keyring plus signed-by. gpg --dearmor is the conversion step in that recipe.

What it does

gpg --dearmor reads an ASCII-armored key and writes its binary (.gpg) form. apt expects a per-repository keyring under /etc/apt/keyrings or /usr/share/keyrings, referenced by signed-by= in the sources list, which scopes the key to just that repository.

Common usage

Terminal
# fetch, dearmor, and install a repo key the modern way
curl -fsSL https://example.com/repo.gpg \
  | gpg --dearmor -o /etc/apt/keyrings/example.gpg
# reference it in the sources list with signed-by
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] \
https://example.com/apt stable main" \
  > /etc/apt/sources.list.d/example.list

Options

FlagWhat it does
--dearmorConvert armored input to binary keyring form
--enarmorThe reverse: binary to ASCII armor
-o <file> / --outputWrite the keyring to a path apt reads
signed-by=<file> (apt)Scope a repo to a specific keyring

In CI

When building images, always use the signed-by keyring pattern instead of apt-key add, which is removed in recent Debian/Ubuntu. Write keyrings to /etc/apt/keyrings (create it first) and reference them with signed-by so a third-party key cannot sign packages from other repos.

Common errors in CI

"apt-key is deprecated" or "Command apt-key not found" on newer images means you must switch to gpg --dearmor plus signed-by. "The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ..." means the keyring is missing, at the wrong path, or not referenced by signed-by. "gpg: no valid OpenPGP data found" means you dearmored something that was not a key.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →