If you see messages like this when running APT updated on Debian/Ubuntu systems:
W: https://download.virtualbox.org/virtualbox/debian/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
This is because using apt-key - particularly the mechanism where it dumps all its keys into one large file (/etc/apt/trusted.gpg) - is a bad idea and deprecated. Apt-Key trusts all those keys, for anything that apt is doing - not just for the particular repository that they key belongs to - anything!
Afaik, the only way to fix this is currently by hand.
The correct way to do that is as follows:
Find the particular key that you want to fix
You probably have more than one, so dump the list:
$ sudo apt-key list > ~/apt-key-list
Then grep the list:
$ grep --context=5 virtualbox ~/apt-key-list /etc/apt/trusted.gpg -------------------- pub dsa1024 2010-05-18 [SC] 7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139 uid [ unknown] Oracle Corporation (VirtualBox archive signing key) <email@example.com> sub elg2048 2010-05-18 [E] ... pub rsa4096 2016-04-22 [SC] B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF uid [ unknown] Oracle Corporation (VirtualBox archive signing key) <firstname.lastname@example.org> sub rsa4096 2016-04-22 [E]
or you can run apt-key list each time:
$ sudo apt-key list | grep virtualbox
Export the key to a new file
The key id is the last 9 chars of the fingerprint, with the space removed, so:
98AB 5139 →
We can then use that to export the key to a new file & remove the old one from apt-key:
$ sudo apt-key export 98AB5139 | sudo gpg --dearmour -o /usr/share/keyrings/virtualbox.gpg $ sudo apt-key del 98AB5139
I chose to put these into
/usr/share/keyrings/, which seems to be the “default” location.
Update the apt source/list file to point to the new key
All my existing apt repos & PPAs were configured using .list files in
/etc/apt/sources.list.d/. These are tiny text files with one line per repo and look like this:
deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian jammy contrib
All options, like arch and key, are comma separated key/value pairs inside the
 after the initial
Turns out there’s a “new” format (supported since apt 1.1, in 2015) for these, deb-822 style
.source files, which are multi-line and look like this:
# VirtualBox Official Repo Types: deb Architectures: amd64 URIs: https://download.virtualbox.org/virtualbox/debian Suites: jammy Components: contrib Signed-By: /usr/share/keyrings/virtualbox.org.gpg
These obviously should have just been
.toml files, but what can you do. They’re easier to read and write than the previous single line format.
You use the
Signed-By: /usr/share/keyrings/virtualbox.org.gpg part to point to a key for that repo, which will be used by apt just for this purpose.
Pieced together from the following sources: