Ubuntu 22.04 LTS apt-get update reports Key is stored in legacy trusted.gpg keyring warning solution

background introduction

Encountered such a warning Ubuntu 22.04 LTSunder update source.apt-get updateKey is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Although the warning does not affect the execution, it is still uncomfortable for a patient with severe code obsessive-compulsive disorder and code cleanliness, so let's solve it.

In order to clarify this issue, I use installation Dockerand installation Kubernetesas examples.

problem reproduction

In general, before installingUbuntu the software, it is necessary to change the source of the system to a local source to achieve the purpose of speeding up the download speed, such as changing to sources such as Ali, Tsinghua, and NetEase.apt-get

After modifying the software source, you need to update the software source through apt-get updatethe command , but Ubuntu 22.04 LTSthere is a problem under .

root@k8s-worker-01:/etc/apt# apt-get update 
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)   
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This warning probably means that we saved the key of the package in the file /etc/apt/trusted.gpgof this old version system.

The system prompt here just tells you that the new version of the system cannot put the secret key /etc/apt/trusted.gpgin , but it does not tell us where the secret key of the new version of the system should be placed.

solution

In fact, the answer is very simple, in /etc/apt/trusted.gpg.dthe directory .

root@k8s-worker-01:/etc/apt# ls trusted.gpg.d/
ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg

As you can see, there are already two system key files.

Now I Dockerwill Kubernetessolve this problem with the whole process of installing and .

1. Add a secret key

Add Docker key

curl https://download.docker.com/linux/ubuntu/gpg | apt-key add -

Add Kubernetes key:

curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -

After adding the secret key, you will find /etc/aptthat there is an additional trusted.gpgfile in the directory:

root@k8s-worker-01:/etc/apt# ls
apt.conf.d   keyrings       sources.list      sources.list.d  trusted.gpg.d
auth.conf.d  preferences.d  sources.list.bak  trusted.gpg

2. Add software source

Add docker software sources:

cat > /etc/apt/sources.list.d/docker.list << EOF
deb https://download.docker.com/linux/ubuntu jammy stable
EOF

Add the Kubernetes software source:

cat > /etc/apt/sources.list.d/kubernetes.list << EOF
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
EOF

3. Update source

Because we added two keys, there will be two warnings when updating the source:

root@k8s-worker-01:/etc/apt# apt-get update 
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (2909 B/s)   
Reading package lists... Done
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://mirrors.aliyun.com/kubernetes/apt/dists/kubernetes-xenial/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

4. Query the secret key

apt-key listQuery all keys on the server by :

root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2022-05-21 [SC]
      A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
uid           [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub   rsa2048 2022-05-21 [E]

pub   rsa4096 2017-02-22 [SCEA]
      9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid           [ unknown] Docker Release (CE deb) <[email protected]>
sub   rsa4096 2017-02-22 [S]

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>

According to the output information, there are 3 files and 4 secret keys on the server. The top two are the secret keys we just installed. The information is stored in /etc/apt/trusted.gpgthis

5. Export the secret key

According to the information output by the appeal, the second line of each secret key has a string of hexadecimal codes, and this code is the secret key id:

A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88

Find the key that caused apt-get updatethe warning and export it:

apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg

Note: The secret key when exporting only idneeds , and idthere is no space between.

After exporting, you will find that there are two more binary files in /etc/apt/trusted.gpg.dthe directory . These two binary files are the ones we just exported:

root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 13EDEF05 | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# apt-key export 0EBFCD88 | gpg --dearmour -o /etc/apt/trusted.gpg.d/kubernetes.gpg
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
root@k8s-worker-01:/etc/apt/trusted.gpg.d# ls
docker.gpg  kubernetes.gpg  ubuntu-keyring-2012-cdimage.gpg  ubuntu-keyring-2018-archive.gpg

6. Delete the key

After exporting the secret key, you can delete the files/etc/apt in the directory :trusted.gpg

root@k8s-worker-01:/etc/apt# ls
apt.conf.d   keyrings       sources.list      sources.list.d  trusted.gpg.d
auth.conf.d  preferences.d  sources.list.bak  trusted.gpg  trusted.gpg~
root@k8s-worker-01:/etc/apt# rm trusted.gpg trusted.gpg~
root@k8s-worker-01:/etc/apt# ls
apt.conf.d  auth.conf.d  keyrings  preferences.d  sources.list  sources.list.bak  sources.list.d  trusted.gpg.d

Finally, apt-key listquery :

root@k8s-worker-01:/etc/apt# apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/docker.gpg
---------------------------------
pub   rsa2048 2022-05-21 [SC]
      A362 B822 F6DE DC65 2817  EA46 B53D C80D 13ED EF05
uid           [ unknown] Rapture Automatic Signing Key (cloud-rapture-signing-key-2022-03-07-08_01_01.pub)
sub   rsa2048 2022-05-21 [E]

/etc/apt/trusted.gpg.d/kubernetes.gpg
-------------------------------------
pub   rsa4096 2017-02-22 [SCEA]
      9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
uid           [ unknown] Docker Release (CE deb) <[email protected]>
sub   rsa4096 2017-02-22 [S]

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <[email protected]>

7. Update the source again

According to the information output by the appeal, there are 4 files and 4 keys on the server, and the top two are the ones we just added to /etc/apt/trusted.gpg.dthe directory

Try updating the source again with apt-get updatethe command :

root@k8s-worker-01:/etc/apt# apt-get update
Hit:1 https://mirrors.aliyun.com/ubuntu-ports jammy InRelease
Hit:2 https://download.docker.com/linux/ubuntu jammy InRelease
Hit:3 https://mirrors.aliyun.com/ubuntu-ports jammy-updates InRelease
Hit:4 https://mirrors.aliyun.com/ubuntu-ports jammy-backports InRelease
Hit:5 https://mirrors.aliyun.com/ubuntu-ports jammy-security InRelease
Get:6 https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial InRelease [8993 B]
Fetched 8993 B in 3s (3491 B/s)                        
Reading package lists... Done

After the output of the results, it was found that there were no warnings, fully in line with expectations, and a perfect solution!