gpg --dearmor and the apt signed-by Keyring
gpg --dearmor turns an ASCII-armored repository key into the binary keyring file that apt signed-by references.
apt-key is deprecated, and the modern way to add a third-party repo key is a dedicated keyring plus signed-by. gpg --dearmor is the conversion step in that recipe.
What it does
gpg --dearmor reads an ASCII-armored key and writes its binary (.gpg) form. apt expects a per-repository keyring under /etc/apt/keyrings or /usr/share/keyrings, referenced by signed-by= in the sources list, which scopes the key to just that repository.
Common usage
# fetch, dearmor, and install a repo key the modern way
curl -fsSL https://example.com/repo.gpg \
| gpg --dearmor -o /etc/apt/keyrings/example.gpg
# reference it in the sources list with signed-by
echo "deb [signed-by=/etc/apt/keyrings/example.gpg] \
https://example.com/apt stable main" \
> /etc/apt/sources.list.d/example.listOptions
| Flag | What it does |
|---|---|
| --dearmor | Convert armored input to binary keyring form |
| --enarmor | The reverse: binary to ASCII armor |
| -o <file> / --output | Write the keyring to a path apt reads |
| signed-by=<file> (apt) | Scope a repo to a specific keyring |
In CI
When building images, always use the signed-by keyring pattern instead of apt-key add, which is removed in recent Debian/Ubuntu. Write keyrings to /etc/apt/keyrings (create it first) and reference them with signed-by so a third-party key cannot sign packages from other repos.
Common errors in CI
"apt-key is deprecated" or "Command apt-key not found" on newer images means you must switch to gpg --dearmor plus signed-by. "The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ..." means the keyring is missing, at the wrong path, or not referenced by signed-by. "gpg: no valid OpenPGP data found" means you dearmored something that was not a key.