Do not use apt-key add
.
apt-key add [filename]
Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.
— apt-key(8) manpage
There's a good reason for this deprecation: it adds keys to /etc/apt/trusted.gpg
, which APT will use for all repositories. This means any third-party repository you add would be able to pretend to be your system repository too (if they manage to MITM it).
Update (2023): Current best practice is to put key in /usr/share/keyrings
instead and add pin it in the source file with [signed-by=...]
. So instead of curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
you should use something like this:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/docker.gpg \
> /dev/null
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
(You have to use gpg --dearmor
because sometimes APT doesn't recognize ASCII-armoured keys, which kinda sucks but works for us so whatever)
Once again, in a single line:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/docker.gpg > /dev/null
Connect to a third-party repository on Debian Wiki
Most repos I see in the wild have adopted this (or similar) syntax 🎉 (that includes Docker, I just used it as an example)
I've removed the snippets in the first comment: I don't feel like updating them, as it would mostly just be a copy of official instructions.
(Here was a list of snippets to add some popular software repos in the way described in a previous version of this guide, which used
trusted.gpg.d
. I don't feel like updating them for the current best practice of using/etc/apt/keyrings
, as most official instructions have switched to that already.)