APT-KEY - Base Documentation

Return to Wiki Index

apt-key [options] <command> [command options]

apt-key add [file]

- Adds a new key to the list of trusted keys for apt. - The file argument can be a key file (in ASCII-armored format) or a public key URL.

Example:

sudo apt-key add /path/to/keyfile

apt-key del <keyid>

- Removes a key from the trusted list using its key ID. - The key ID is typically the last 8 characters of the key fingerprint.

Example:

sudo apt-key del ABCD1234 

apt-key list

- Lists all the currently installed keys and their corresponding fingerprints.

Example:

sudo apt-key list

apt-key export <keyid>

- Exports a key to the standard output. - The key ID can be a full key ID or a part of it.

Example:

apt-key export ABCD1234

apt-key adv --keyserver <keyserver> --recv-keys <keyid>

- Receives keys from a keyserver. - This command fetches keys from a remote keyserver, which is useful when adding third-party repository keys.

Example:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABCD1234

- APT relies on cryptographic signatures to ensure that the software packages you install come from trusted sources. - The trusted keys list is maintained by `apt-key` and consists of the public keys of the repositories or package maintainers. - The keys in `/etc/apt/trusted.gpg` and `/etc/apt/trusted.gpg.d/` ensure that apt can verify the integrity and authenticity of the package metadata.

- The `apt-key` command has been deprecated in recent versions of APT, as the keyring management is transitioning to more modern solutions like signed-by in `.list` files. - Using `apt-key` poses a potential security risk since it can lead to keys being imported into global keyrings without proper compartmentalization, which might allow unauthorized repositories to be trusted by the system.

- In modern usage, repositories should be configured to use `signed-by` for the keyring to prevent system-wide key management. - Example repository entry:

deb [signed-by=/etc/apt/trusted.gpg.d/myrepo.gpg] http://myrepo.com/ubuntu focal main

- Key expiration ensures that keys are not valid indefinitely. It's essential to monitor key expiration dates and update keys accordingly. - Revocation allows a key to be marked as invalid, rendering any software packages signed with that key untrustworthy. - Users should ensure that their system updates the repository keys regularly, especially for third-party repositories.

- This error occurs when the key used to sign the repository metadata is missing or outdated. - To fix this issue, you can retrieve the correct key:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <keyid>

- When you receive the "NO_PUBKEY" error, it means a key is missing for one of the repositories configured on your system. - You can resolve this issue by fetching the missing key using the following command:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <keyid>

- If you encounter warnings about the deprecation of `apt-key`, consider switching to the new `signed-by` directive in your `/etc/apt/sources.list` or in the individual repository list files.

Example:

deb [signed-by=/etc/apt/trusted.gpg.d/myrepo.gpg] http://myrepo.com/ubuntu focal main

- If a key cannot be retrieved from the keyserver, it might be due to a temporary network issue or an unresponsive keyserver. - Try using a different keyserver:

sudo apt-key adv --keyserver pool.sks-keyservers.net --recv-keys <keyid>

- If you see an error indicating that the key is already installed, it means the key has been successfully imported before. - You can check if the key exists using:

sudo apt-key list

If it's present, you can skip adding the key.

- [APT official documentation](https://man7.org/linux/man-pages/man8/apt-key.8.html) - [Debian Keyring Management](https://www.debian.org/doc/manuals/apt-howto/ch-keys.en.html) - [APT Repository Management](https://wiki.debian.org/SecureApt) - [Ubuntu Keyserver Documentation](https://ubuntu.com/server/docs/security-keys) - [The dangers of using apt-key](https://www.debian.org/releases/stable/amd64/index.en.html#keyring)