Skip to content
Latchkey

gpg --dearmor: Import a Repository Signing Key

gpg --dearmor converts a downloaded ASCII-armored public key into the binary format that APT keyrings require.

Most vendor keys are distributed ASCII-armored (they start with BEGIN PGP PUBLIC KEY BLOCK). APT keyrings want binary, so you dearmor before writing to /etc/apt/keyrings.

What it does

gpg --dearmor reads an ASCII-armored key on stdin (or a file) and writes the equivalent binary key. Writing that binary file into /etc/apt/keyrings and referencing it with signed-by lets APT verify the repository signature.

Common usage

Terminal
install -m 0755 -d /etc/apt/keyrings
# armored key -> binary keyring
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg

Options

FlagWhat it does
--dearmorConvert ASCII-armored input to binary
--enarmorThe reverse: binary to ASCII-armored
-o <file>Write output to a file
--yesOverwrite the output file without prompting

In CI

Always chmod a+r the keyring so apt (which may run as a different user) can read it; a key readable only by root causes silent verification failures. If the source key is already binary, skip dearmor and write it directly.

Common errors in CI

"gpg: no valid OpenPGP data found" means the downloaded file is HTML (a 404 page or redirect) rather than a key; check the URL and use curl -fsSL so failures are visible. NO_PUBKEY at apt-get update means the keyring path in signed-by is wrong or the file is not readable. "GPG error ... invalid signature" often means an armored key was written without dearmoring.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →