apt-key is not being deprecated for security reasons
apt-key is a tool for managing the keys
apt uses to verify packages. It is a command-line wrapper around
You cannot install
apt-key, It is already there, as part of
[email protected]:~# apt install apt-key E: Unable to locate package apt-key
Why is it not a separate package? IDK.
Why it was deprecated
A while back gpg was removed from the list of dependencies in
apt. This change meant
apt-key could not work out of the box on a fresh Debian install. Users would have to manually
apt install gpg if they wanted to use
The commit message gives the following reason.
most users will never use apt-key.
gpgto function. However,
aptonly depends on the smaller
gpgvtool to verify packages.
Pretty self-explanatory. The developers wanted to reduce the install size of
I’m not really sure if dependencies & install size is the reason. I think there’s another justified reason apt is being deprecated. Haven’t found it yet.
The alternative is placing the keys inside
/etc/apt/trusted.gpg.d/. To add a new key, you would only need
For example, to install
# Instal curl apt update && apt install curl # Download the gpg key curl https://packages.microsoft.com/keys/microsoft.asc \ -o /etc/apt/trusted.gpg.d/microsoft.asc # Add repo to sources.list echo deb [arch=amd64] http://packages.microsoft.com/repos/code stable main \ > /etc/apt/sources.list.d/vscode.list # Install vscode apt update && apt install code
I think this method is easier to understand & automate than
What about security?
apt-key related articles & answers mention security as the reason for the deprecation. The most common advice is to place keys in
/usr/share/keyrings instead of
/etc/apt/trusted.gpg.d/. You then use the
signed-by feature to limit the repos the key can sign.
This has little security impact. Even the developers implementing the
signed-by feature acknowledge it.
Not immensely useful from a security perspective all by itself
The advice is basically this:
Don’t add repos you don’t trust. It’s hard to do so securely.
More on Linux security
Untrusted Debs - Debian Wiki
Linux Server “best practices” - Live Overflow
Attacks against GPG signed APT repositories - packagecloud.io