If you see messages like this when running APT updated on Debian/Ubuntu systems:
W: https://download.virtualbox.org/virtualbox/debian/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
This is because using apt-key - particularly the mechanism where it dumps all its keys into one large file (/etc/apt/trusted.gpg) - is a bad idea and deprecated. Apt-Key trusts all those keys, for anything that apt is doing - not just for the particular repository that they key belongs to - anything!
Afaik, the only way to fix this is currently by hand.
The correct way to do that is as follows:
Find the particular key that you want to fix
You probably have more than one, so dump the list:
$ sudo apt-key list > ~/apt-key-list
Then grep the list:
$ grep --context=5 virtualbox ~/apt-key-list
/etc/apt/trusted.gpg
--------------------
pub dsa1024 2010-05-18 [SC]
7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139
uid [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub elg2048 2010-05-18 [E]
...
pub rsa4096 2016-04-22 [SC]
B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
uid [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub rsa4096 2016-04-22 [E]
or you can run apt-key list each time:
$ sudo apt-key list | grep virtualbox
Export the key to a new file
The key id is the last 9 chars of the fingerprint, with the space removed, so: 98AB 5139
→ 98AB5139
.
We can then use that to export the key to a new file & remove the old one from apt-key:
$ sudo apt-key export 98AB5139 | sudo gpg --dearmour -o /usr/share/keyrings/virtualbox.gpg
$ sudo apt-key del 98AB5139
I chose to put these into /usr/share/keyrings/
, which seems to be the “default” location.
Update the apt source/list file to point to the new key
All my existing apt repos & PPAs were configured using .list files in /etc/apt/sources.list.d/
. These are tiny text files with one line per repo and look like this:
deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian jammy contrib
All options, like arch and key, are comma separated key/value pairs inside the []
after the initial deb
.
Turns out there’s a “new” format (supported since apt 1.1, in 2015) for these, deb-822 style .sources
files, which are multi-line and look like this:
# VirtualBox Official Repo
Types: deb
Architectures: amd64
URIs: https://download.virtualbox.org/virtualbox/debian
Suites: jammy
Components: contrib
Signed-By: /usr/share/keyrings/virtualbox.org.gpg
These obviously should have just been .toml
files, but what can you do. They’re easier to read and write than the previous single line format.
You use the Signed-By: /usr/share/keyrings/virtualbox.org.gpg
part to point to a key for that repo, which will be used by apt just for this purpose.
References
Pieced together from the following sources: