apt-key but it is bash one-liner.md

Do not use apt-key add.

apt-key add [filename]

Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.
    — apt-key(8) manpage

There's a good reason for this deprecation: it adds keys to /etc/apt/trusted.gpg, which APT will use for all repositories. This means any third-party repository you add would be able to pretend to be your system repository too (if they manage to MITM it).

Update (2023): Current best practice is to put key in /usr/share/keyrings instead and add pin it in the source file with [signed-by=...]. So instead of curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - you should use something like this:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/docker.gpg \
  > /dev/null
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

(You have to use gpg --dearmor because sometimes APT doesn't recognize ASCII-armoured keys, which kinda sucks but works for us so whatever)

Once again, in a single line:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/docker.gpg > /dev/null

Further reading

Connect to a third-party repository on Debian Wiki

Update (2023)

Most repos I see in the wild have adopted this (or similar) syntax 🎉 (that includes Docker, I just used it as an example)

I've removed the snippets in the first comment: I don't feel like updating them, as it would mostly just be a copy of official instructions.

A good starting point is unsurprisingly the Debian wiki: Instructions to connect to a third-party repository

I once omit >/dev/null from line gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/atom.gpg > /dev/null and it output gibberish text. Why is this?

@L1so gpg --dearmor converts ASCII-armoured GPG key into its binary form, which is what apt expects to see in trusted.gpg.d and which is the gibberish you see.

We then pipe it into tee. Usually, tee writes it to a file and also to the stdout again, perhaps because it was meant for processing pipelines like:

do_something \
  | tee ~/intermediate-state.txt \
  | do_smth_else \
  > ~/final-state.txt

We don't need the stdout here though – we're just using sudo tee to write to a file as root, so we throw it out it instead: > /dev/null

Why do we need to tee output to gpg? Here this command works:

curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
| sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg

Or

curl -fsSL https://repositories.intel.com/graphics/intel-graphics.key \
| sudo gpg --dearmor -o /usr/share/keyrings/intel-graphics.gpg

@mruncleleon Yeah, it should work and probably wouldn't be a big problem. I just think limiting what actions you do as root to absolute minimum is a good practice.

That said yeah, most instructions I see in the wild use sudo gpg -o. Should be fine.