🔧 Migrating APT GPG Keys to the Modern Format

Fix deprecated `apt-key` warnings and unsupported key files

🚨 1. The Problem: Legacy Keyring Warnings

When running apt update, you might see warnings like:

W: http://ppa.launchpad.net/phoerious/keepassxc/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://ose-repo.syslog-ng.com/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

This means these repositories are using an outdated, monolithic keyring file:

/etc/apt/trusted.gpg

Ubuntu and Debian now require keys to be stored in:

/etc/apt/keyrings/<name>.gpg

and used with signed-by=... in your .list files.

✅ Quick Fix (TL;DR)

Export the legacy key

sudo apt-key export 61922AB60068FCD6 | gpg --dearmor | sudo tee /etc/apt/keyrings/phoerious-keepassxc-jammy.gpg > /dev/null

(Use your actual key ID — this example is for KeePassXC)

Update the source list Edit:

sudo nano /etc/apt/sources.list.d/phoerious-keepassxc-jammy.list

Replace with:

deb [signed-by=/etc/apt/keyrings/phoerious-keepassxc-jammy.gpg] https://ppa.launchpadcontent.net/phoerious/keepassxc/ubuntu jammy main

Remove the legacy reference
```
sudo apt-key del 61922AB60068FCD6
```

this will delete the key from /etc/apt/trusted.gpg

🧪 2. Diagnosing Unsupported Key Files

If you see:

W: The key(s) in the keyring ... are ignored as the file has an unsupported filetype.

like this:

W: http://ftp.icm.edu.pl/pub/Linux/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/phoerious.gpg are ignored as the file has an unsupported filetype.

That means the file (even in /etc/apt/trusted.gpg.d/) is in the wrong format.

Check the format with:

file /etc/apt/trusted.gpg.d/example.gpg

❌ Bad:

GPG keybox database version 1

✅ Good:

OpenPGP Public Key Version 4

APT requires OpenPGP v4 keyrings, not GPG keybox databases.

🔧 3. Convert or Replace the Key the Right Way

You have two options:

🔁 1. Convert a broken key file

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/broken-key.gpg --export | gpg --dearmor | sudo tee /etc/apt/keyrings/fixed-key.gpg > /dev/null

Then update your .list file:

deb [signed-by=/etc/apt/keyrings/fixed-key.gpg] https://example.repo/url stable main

Remove the old one:

sudo rm /etc/apt/trusted.gpg.d/broken-key.gpg

🧲 2. Download a new key from source

curl -fsSL https://repo.example.com/key.asc -o /tmp/key.asc
gpg --dearmor < /tmp/key.asc | sudo tee /etc/apt/keyrings/example.gpg > /dev/null

Update the .list file the same way.

🛠️ 4. Full Example: KeePassXC and syslog-ng

🔐 Migrate KeePassXC key

curl -fsSL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x61922AB60068FCD6 | gpg --dearmor | sudo tee /etc/apt/keyrings/phoerious-keepassxc-jammy.gpg > /dev/null

Update:

deb [signed-by=/etc/apt/keyrings/phoerious-keepassxc-jammy.gpg] https://ppa.launchpadcontent.net/phoerious/keepassxc/ubuntu jammy main

Remove any legacy file:

sudo rm -f /etc/apt/trusted.gpg.d/phoerious.gpg

🧼 5. Clean Up and Verify

Remove any converted .gpg file with GPG keybox database version 1:

file /etc/apt/trusted.gpg.d/*.gpg

Then:

sudo rm -f /etc/apt/trusted.gpg.d/<bad-key>.gpg

Run:

sudo apt update

✅ You should now see no warnings.

🧠 Tips

Problem Type	Fix
Legacy `trusted.gpg` warning	Export key, store in `/etc/apt/keyrings/`, use `signed-by=` in `.list`, then remove from legacy store
Unsupported filetype in `.gpg`	Re-export key with `gpg --export	gpg --dearmor`, save to` /etc/apt/keyrings/`, update source, remove bad file
New key from upstream	`curl ...	gpg --dearmor > /etc/apt/keyrings/`, reference in` signed-by=`, remove any old` .gpg`
Unsure about key	Use `gpg --list-keys` and `file` command to check content and format

tomfun/apt-keys.md