gpg --dearmor: Import a Repository Signing Key
gpg --dearmor converts a downloaded ASCII-armored public key into the binary format that APT keyrings require.
Most vendor keys are distributed ASCII-armored (they start with BEGIN PGP PUBLIC KEY BLOCK). APT keyrings want binary, so you dearmor before writing to /etc/apt/keyrings.
What it does
gpg --dearmor reads an ASCII-armored key on stdin (or a file) and writes the equivalent binary key. Writing that binary file into /etc/apt/keyrings and referencing it with signed-by lets APT verify the repository signature.
Common usage
install -m 0755 -d /etc/apt/keyrings
# armored key -> binary keyring
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpgOptions
| Flag | What it does |
|---|---|
| --dearmor | Convert ASCII-armored input to binary |
| --enarmor | The reverse: binary to ASCII-armored |
| -o <file> | Write output to a file |
| --yes | Overwrite the output file without prompting |
In CI
Always chmod a+r the keyring so apt (which may run as a different user) can read it; a key readable only by root causes silent verification failures. If the source key is already binary, skip dearmor and write it directly.
Common errors in CI
"gpg: no valid OpenPGP data found" means the downloaded file is HTML (a 404 page or redirect) rather than a key; check the URL and use curl -fsSL so failures are visible. NO_PUBKEY at apt-get update means the keyring path in signed-by is wrong or the file is not readable. "GPG error ... invalid signature" often means an armored key was written without dearmoring.