Do not use apt-key add
.
apt-key add [filename]
Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.
— apt-key(8) manpage
There's a good reason for this deprecation: it adds keys to /etc/apt/trusted.gpg
, which APT will use for all repositories. This means any third-party repository you add would be able to pretend to be your system repository too (if they manage to MITM it).
Update (2023): Current best practice is to put key in /usr/share/keyrings
instead and add pin it in the source file with [signed-by=...]
. So instead of curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
you should use something like this:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/docker.gpg \
> /dev/null
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
(You have to use gpg --dearmor
because sometimes APT doesn't recognize ASCII-armoured keys, which kinda sucks but works for us so whatever)
Once again, in a single line:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/docker.gpg > /dev/null
Connect to a third-party repository on Debian Wiki
Most repos I see in the wild have adopted this (or similar) syntax 🎉 (that includes Docker, I just used it as an example)
I've removed the snippets in the first comment: I don't feel like updating them, as it would mostly just be a copy of official instructions.
Why do we need to tee output to gpg? Here this command works:
curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \ | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
Or
curl -fsSL https://repositories.intel.com/graphics/intel-graphics.key \ | sudo gpg --dearmor -o /usr/share/keyrings/intel-graphics.gpg