🔑 Remplacement d’apt-key

août

2022

🔑 Remplacement d’apt-key

Le programme apt-key va être supprimé dans Debian 12, il est obsolète. Cet article concerne donc tous les dérivés de Debian, comme Ubuntu, Linux Mint ou Raspi-OS.

ඏ

La conséquence est que vous risque de rencontrer des erreurs du type lors d’un apt update :

W: http://ppa.launchpad.net/git-core/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://download.virtualbox.org/virtualbox/debian/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/jerem-ferry/tts/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://repo.skype.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

ඏ

Remplacement d’`apt-key`

L’utilisation d’apt-key est obsolète. Voici comment modifier vos scripts :

(extrait de man 8 apt-key)

Si votre utilisation actuelle d’apt-key add ressemble à ceci :

wget -qO- https://myrepo.example/myrepo.asc | sudo apt-cle add -

Vous pouvez directement le remplacer par :

wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

Assurez-vous d’utiliser l’extension asc pour les clés blindées ASCII et l’extension gpg pour le format binaire OpenPGP (« binary OpenPGP format »).

Recommandations :

Au lieu de placer les clés dans le répertoire /etc/apt/trusted.gpg.d, vous pouvez les placer n’importe où sur votre système de fichiers en utilisant l’option Signed-By dans votre sources.list et en pointant vers le nom de fichier de la clé. Voir sources.list(5) pour plus de détails. Depuis APT 2.4, /etc/apt/keyrings est fourni comme emplacement recommandé pour les clés non gérées par les packages.

ඏ

Exemple d’utilisation de `signed-by` dans les fichiers `sources.list`

Prenons le fichier /etc/apt/sources.list.d/nodesource.list, destiné à ajouter un dépôt pour les versions récentes de nodejs.

Ce fichier contient quelque chose comme :


deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x focal main
deb-src [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x focal main

On constate que le fichier servant à vérifier l’intégrité du paquet est défini à l’aide de l’attribut signed-by.

Dans un autre cas, le fichier /etc/apt/sources.list.d/signal-xenial.list, on trouve comment utiliser conjointement les attributs arch et signed-by:


deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main

ඏ

Correction des alertes lors de l’exécution de `apt update`

apt-key list | grep -B 2 -i xbmc

pub   rsa1024 2009-01-20 [SC]
      1897 01DA 570C 56B9 488E  F60A 6D97 5C47 91E7 EE5E
uid           [ unknown] Launchpad PPA for XBMC for Linux

Il faut convertir cette clé en un fichier .gpg, pour cela il faut récupérer les 8 derniers caractères de l’identificateur obtenu.

sudo apt-key export 91E7EE5E | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/team-xbmc.gpg

Vous devrez répéter les commandes ci-dessus pour chaque message d’avertissement généré par sudo apt update.

Autres exemples

Dans le cas, ci-dessus :

# Permet de trouver l’id :
apt-key list | grep -B 2 -i virtualbox

# Conversion de la clé au format **GPG** :
sudo apt-key export 2980AECF | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/oracle-virtualbox.gpg

apt-key list | grep -B 2 -i git
sudo apt-key export E1DF1F24 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/ubuntu-git.gpg

apt-key list | grep -B 2 -i skype
sudo apt-key export DF7587C3 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/microsoft-skype.gpg

apt-key list | grep -B 2 -i ferry
sudo apt-key export E1DF1F24 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/ubuntu-git.gpg

Un cas plus compliqué

J’ai galéré un peu pour la ligne :

W: http://ppa.launchpad.net/jerem-ferry/tts/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

qui correspondait au fichier /etc/apt/sources.list.d/jerem-ferry-tts-focal.list. Le but était de pouvoir installer l’application « Text To Speech ».

Du coup, l’idée a été de supprimer ce fichier.

sudo rm /etc/apt/sources.list.d/jerem-ferry-tts-focal.list
sudo apt update # Maintenant, l’alerte a disparu.

Ensuite je réinstalle le dépôt :

sudo add-apt-repository ppa:jerem-ferry/tts && sudo apt update

et j’ai les alertes suivantes :

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.Sy5X3mDhEk/gpg.1.sh --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 7EB33EBA6BC7A2C939E216235153C487548402C7
gpg: key 5153C487548402C7: "Launchpad PPA for mothsArt" not changed

qui me permet de déduire que la fin de l’id est : 548402C7.

Je peux maintenant convertir la clé à l’aide de :

sudo apt-key export 548402C7 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/ppa:jerem-ferry-tts-mothsart.gpg

Finalement, je n’ai plus d’alerte lorsque j’exécute :

sudo apt update

ඏ

Le cas `apt-key list`

La liste des clés s’obtenait à l’aide de apt-key list dans l’avenir vous devrez utiliser : gpg --show-keys /etc/apt/trusted.gpg, qui donne un résultat très similaire :

Liste de vos clés

# Notez que la localisation des clés est géré par apt-key
apt-key list

gpg --show-keys /etc/apt/trusted.gpg
gpg --show-keys /etc/apt/trusted.gpg.d/*

Pour un traitement dans par script, vous trouverez sans doute utile l’option : --with-colons.

gpg --with-colons --show-keys /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*

/etc/apt/trusted.gpg
--------------------
pub   rsa1024 2010-05-04 [SC]
      7B2C 3B08 89BF 5709 A105  D03A C251 8248 EEA1 4886
uid           [ unknown] Launchpad VLC

pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

pub   rsa1024 2010-12-14 [SC]
      A3D8 A366 869F E2DC 5FFD  79C3 6A96 53F9 36FD 5529
uid           [ unknown] Launchpad PPA for atareao

pub   rsa1024 2009-01-20 [SC]
      643D C6BD 5658 0CEB 1AB4  A9F6 3B22 AB97 AF1C DFA9
uid           [ unknown] Launchpad PPA for Ubuntu-X

pub   rsa4096 2017-11-26 [SC]
      4053 F889 A25B 94BB 58F8  89CC 6F6F 0287 E3B1 D17C
uid           [ unknown] Launchpad PPA for hayder majed

pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]

pub   rsa4096 2015-08-12 [SC]
      2388 FF3B E10A 76F6 38F8  0723 FCAE 110B 1118 213C
uid           [ unknown] Launchpad PPA for Graphics Drivers Team

pub   rsa4096 2017-05-08 [SCEA]
      1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
uid           [ unknown] Sublime HQ Pty Ltd <support@sublimetext.com>
sub   rsa4096 2017-05-08 [S]

pub   rsa1024 2009-09-02 [SC]
      FBA0 C227 099A 5360 635E  3D91 5216 5BD6 B9BA 26FA
uid           [ unknown] Launchpad OpenShot Development PPA

pub   rsa4096 2016-01-19 [SC]
      A59E 5EBF CCC6 1564 D6D4  365B 2763 B0EE 7709 FE97
uid           [ unknown] Launchpad PPA for Kdenlive

pub   rsa1024 2009-01-20 [SC]
      1897 01DA 570C 56B9 488E  F60A 6D97 5C47 91E7 EE5E
uid           [ unknown] Launchpad PPA for XBMC for Linux

pub   rsa2048 2016-06-22 [SC]
      D404 0146 BE39 7250 9FD5  7FC7 1F30 45A5 DF75 87C3
uid           [ unknown] Skype Linux Client Repository <se-um@microsoft.com>
sub   rsa2048 2016-06-22 [E]

pub   rsa1024 2010-04-14 [SC]
      43D3 A9F6 0C58 A716 9778  E6FB 8771 ADB0 8169 50D8
uid           [ unknown] Launchpad HandBrake Snapshots

pub   rsa1024 2013-12-03 [SC]
      A006 2203 196C A448 2DDB  859E 4C1C BE14 8525 41CB
uid           [ unknown] Launchpad PPA for Panda Jim

pub   rsa4096 2014-06-13 [SC]
      9FD3 B784 BC1C 6FC3 1A8A  0A1C 1655 A0AB 6857 6280
uid           [ unknown] NodeSource <gpg@nodesource.com>
sub   rsa4096 2014-06-13 [E]

pub   rsa1024 2009-01-22 [SC]
      E1DD 2702 88B4 E603 0699  E45F A171 5D88 E1DF 1F24
uid           [ unknown] Launchpad PPA for Ubuntu Git Maintainers

pub   rsa1024 2014-01-12 [SC]
      7EB3 3EBA 6BC7 A2C9 39E2  1623 5153 C487 5484 02C7
uid           [ unknown] Launchpad PPA for mothsArt

pub   rsa4096 2017-04-05 [SC]
      DBA3 6B51 81D0 C816 F630  E889 D980 A174 57F6 FB06
uid           [ unknown] Open Whisper Systems <support@whispersystems.org>
sub   rsa4096 2017-04-05 [E]

pub   rsa4096 2017-01-20 [SC]
      1FCD 77DD 0DBE F569 9AD2  6101 60EE 47FB AD3D D469
uid           [ unknown] Launchpad PPA for Nextcloud development

pub   rsa2048 2015-09-28 [SC] [expires: 2023-01-17]
      06D7 EADE 708A 40FA 136E  B454 0700 205D FD41 A71A
uid           [ unknown] devel OBS Project <devel@s2.owncloud.com>

pub   rsa4096 2018-08-14 [SC]
      E869 7E2E EF76 C02D 3A63  3277 8881 B2A8 2109 76F2
uid           [ unknown] Package Manager (Package Signing Key) <packages@pgadmin.org>
sub   rsa4096 2018-08-14 [E]

/etc/apt/trusted.gpg.d/isv_ownCloud_server_10.gpg
-------------------------------------------------
pub   rsa2048 2016-09-25 [SC] [expired: 2022-04-02]
      1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9
uid           [ expired] isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>

/etc/apt/trusted.gpg.d/linuxmint-keyring.gpg
--------------------------------------------
pub   rsa4096 2016-05-24 [SC]
      302F 0738 F465 C153 5761  F965 A661 6109 451B BBF2
uid           [ unknown] Linux Mint Repository Signing Key <root@linuxmint.com>
sub   rsa4096 2016-05-24 [E]

/etc/apt/trusted.gpg.d/microsoft.gpg
------------------------------------
pub   rsa2048 2015-10-28 [SC]
      BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
uid           [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>

/etc/apt/trusted.gpg.d/ubuntu-defaults.chroot.key.gpg
-----------------------------------------------------
pub   rsa4096 2016-05-24 [SC]
      302F 0738 F465 C153 5761  F965 A661 6109 451B BBF2
uid           [ unknown] Linux Mint Repository Signing Key <root@linuxmint.com>
sub   rsa4096 2016-05-24 [E]

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg
-----------------------------------------------------
pub   rsa4096 2016-03-21 [SC]
      F2ED C64D C5AE E1F6 B9C6  21F0 C8CA B659 5FDF F622
uid           [ unknown] Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive@lists.ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Résultat de: gpg --show-keys /etc/apt/trusted.gpg

pub   rsa1024 2010-05-04 [SC]
      7B2C3B0889BF5709A105D03AC2518248EEA14886
uid                      Launchpad VLC

pub   rsa4096 2016-04-22 [SC]
      B9F8D658297AF3EFC18D5CDFA2F683C52980AECF
uid                      Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

pub   rsa1024 2010-12-14 [SC]
      A3D8A366869FE2DC5FFD79C36A9653F936FD5529
uid                      Launchpad PPA for atareao

pub   rsa1024 2009-01-20 [SC]
      643DC6BD56580CEB1AB4A9F63B22AB97AF1CDFA9
uid                      Launchpad PPA for Ubuntu-X

pub   rsa4096 2017-11-26 [SC]
      4053F889A25B94BB58F889CC6F6F0287E3B1D17C
uid                      Launchpad PPA for hayder majed

pub   rsa4096 2016-10-05 [SC]
      72ECF46A56B4AD39C907BBB71646B01B86E50310
uid                      Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub   rsa4096 2019-01-02 [S] [expired: 2021-02-03]
sub   rsa4096 2019-01-11 [S] [expired: 2021-02-03]

pub   rsa4096 2015-08-12 [SC]
      2388FF3BE10A76F638F80723FCAE110B1118213C
uid                      Launchpad PPA for Graphics Drivers Team

pub   rsa4096 2017-05-08 [SCEA]
      1EDDE2CDFC025D17F6DA9EC0ADAE6AD28A8F901A
uid                      Sublime HQ Pty Ltd <support@sublimetext.com>
sub   rsa4096 2017-05-08 [S]

pub   rsa1024 2009-09-02 [SC]
      FBA0C227099A5360635E3D9152165BD6B9BA26FA
uid                      Launchpad OpenShot Development PPA

pub   rsa4096 2016-01-19 [SC]
      A59E5EBFCCC61564D6D4365B2763B0EE7709FE97
uid                      Launchpad PPA for Kdenlive

pub   rsa1024 2009-01-20 [SC]
      189701DA570C56B9488EF60A6D975C4791E7EE5E
uid                      Launchpad PPA for XBMC for Linux

pub   rsa2048 2016-06-22 [SC]
      D4040146BE3972509FD57FC71F3045A5DF7587C3
uid                      Skype Linux Client Repository <se-um@microsoft.com>
sub   rsa2048 2016-06-22 [E]

pub   rsa1024 2010-04-14 [SC]
      43D3A9F60C58A7169778E6FB8771ADB0816950D8
uid                      Launchpad HandBrake Snapshots

pub   rsa1024 2013-12-03 [SC]
      A0062203196CA4482DDB859E4C1CBE14852541CB
uid                      Launchpad PPA for Panda Jim

pub   rsa4096 2014-06-13 [SC]
      9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
uid                      NodeSource <gpg@nodesource.com>
sub   rsa4096 2014-06-13 [E]

pub   rsa1024 2009-01-22 [SC]
      E1DD270288B4E6030699E45FA1715D88E1DF1F24
uid                      Launchpad PPA for Ubuntu Git Maintainers

pub   rsa1024 2014-01-12 [SC]
      7EB33EBA6BC7A2C939E216235153C487548402C7
uid                      Launchpad PPA for mothsArt

pub   rsa4096 2017-04-05 [SC]
      DBA36B5181D0C816F630E889D980A17457F6FB06
uid                      Open Whisper Systems <support@whispersystems.org>
sub   rsa4096 2017-04-05 [E]

pub   rsa4096 2017-01-20 [SC]
      1FCD77DD0DBEF5699AD2610160EE47FBAD3DD469
uid                      Launchpad PPA for Nextcloud development

pub   rsa2048 2015-09-28 [SC] [expires: 2023-01-17]
      06D7EADE708A40FA136EB4540700205DFD41A71A
uid                      devel OBS Project <devel@s2.owncloud.com>

pub   rsa4096 2018-08-14 [SC]
      E8697E2EEF76C02D3A6332778881B2A8210976F2
uid                      Package Manager (Package Signing Key) <packages@pgadmin.org>
sub   rsa4096 2018-08-14 [E]

Résultat de: gpg --show-keys /etc/apt/trusted.gpg.d/*

pub   rsa2048 2016-09-25 [SC] [expired: 2022-04-02]
      1B07204CD71B690D409F57D24ABE1AC7557BEFF9
uid                      isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>

pub   rsa4096 2016-05-24 [SC]
      302F0738F465C1535761F965A6616109451BBBF2
uid                      Linux Mint Repository Signing Key <root@linuxmint.com>
sub   rsa4096 2016-05-24 [E]

pub   rsa4096 2016-05-24 [SC]
      302F0738F465C1535761F965A6616109451BBBF2
uid                      Linux Mint Repository Signing Key <root@linuxmint.com>
sub   rsa4096 2016-05-24 [E]

pub   rsa2048 2015-10-28 [SC]
      BC528686B50D79E339D3721CEB3E94ADBE1229CF
uid                      Microsoft (Release signing) <gpgsecurity@microsoft.com>

pub   rsa4096 2017-04-05 [SC]
      DBA36B5181D0C816F630E889D980A17457F6FB06
uid                      Open Whisper Systems <support@whispersystems.org>
sub   rsa4096 2017-04-05 [E]

pub   rsa4096 2016-05-24 [SC]
      302F0738F465C1535761F965A6616109451BBBF2
uid                      Linux Mint Repository Signing Key <root@linuxmint.com>
sub   rsa4096 2016-05-24 [E]

pub   rsa4096 2012-05-11 [SC]
      843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid                      Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

pub   rsa4096 2016-03-21 [SC]
      F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622
uid                      Ubuntu Debug Symbol Archive Automatic Signing Key (2016) <ubuntu-archive@lists.ubuntu.com>

pub   rsa4096 2018-09-17 [SC]
      F6ECB3762474EDA9D21B7022871920D1991BC93C
uid                      Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

ඏ

Liens

What commands (exactly) should replace the deprecated apt-key?
Documentation sur GNU Privacy Guard en français. Datant de 2019, cette documentation ne s’attarde pas sur l’interface avec apt mais montre les usages plus communs de cet outil de chiffrement.

ᦿ

Vos commentaires

Pas encore de commentaire - ajouter le votre.
Ajouter votre commentaire

cClaude.rocks ☕ Le blog

Remplacement d’apt-key

Exemple d’utilisation de signed-by dans les fichiers sources.list

Correction des alertes lors de l’exécution de apt update

Le cas apt-key list

Liens

Remplacement d’`apt-key`

Exemple d’utilisation de `signed-by` dans les fichiers `sources.list`

Correction des alertes lors de l’exécution de `apt update`

Le cas `apt-key list`