apt-key deprecation

While updating Debian, I have seen this warning in the last days:

Fetched 11.4 kB in 3s (3,605 B/s)
W: http://www.deb-multimedia.org/dists/testing/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://deb.torproject.org/torproject.org/dists/testing/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
                          

I did read the apt-key manual but I wasn’t very clear how to proceed. So I searched for a bit and found this article. And it was exactly what I needed.

$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2014-03-05 [SC]
      A401 FF99 368F A1F9 8152  DE75 5C80 8C2B 6555 8117
uid           [ unknown] Christian Marillat <marillat@debian.org>
uid           [ unknown] Christian Marillat <marillat@free.fr>
uid           [ unknown] Christian Marillat <marillat@deb-multimedia>
uid           [ unknown] Christian Marillat <marillat@deb-multimedia.org>
sub   rsa4096 2014-03-05 [E]

pub   rsa2048 2009-09-04 [SC] [expires: 2024-11-17]
      A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D DD89
uid           [ unknown] deb.torproject.org archive signing key
sub   rsa2048 2009-09-04 [S] [expires: 2022-06-11]
...
...

Export the keys:

$ sudo apt-key export 65558117 | sudo gpg --dearmour -o /usr/share/keyrings/repo-debian-multimedia-testing.gpg 
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
$
 
 
$ sudo apt-key export 886DDD89 | sudo gpg --dearmour -o /usr/share/keyrings/repo-torproject-testing.gpg 
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
$ 

BTW, something I keep forgetting is what part of the pub key I needed. It is the last 8 digits (that you can see in the output of apt-key list). And that was mentioned in the article but I didnt pay attention…

Now update “/etc/apt/sources.list” adding “signed-by=/path to file created above” for each repo:

###Debian Multimedia
deb [arch=amd64 signed-by=/usr/share/keyrings/repo-debian-multimedia-testing.gpg] http://www.deb-multimedia.org testing main non-free

###TOR
deb [arch=amd64 signed-by=/usr/share/keyrings/repo-torproject-testing.gpg] http://deb.torproject.org/torproject.org testing main

Update and see if warning is gone:

# aptitude update 
Hit http://security.debian.org/debian-security testing-security InRelease
Hit http://deb.debian.org/debian testing InRelease                                                         
Ign https://apt.fury.io/netdevops  InRelease
Ign https://apt.fury.io/netdevops  Release
Hit http://www.deb-multimedia.org testing InRelease
Hit https://dl.google.com/linux/chrome/deb stable InRelease                                                                                       
Hit https://packages.cloud.google.com/apt cloud-sdk InRelease        
Hit http://deb.torproject.org/torproject.org testing InRelease
Get: 1 https://apt.fury.io/netdevops  Packages
Ign https://apt.fury.io/netdevops  Translation-en_GB
Ign https://apt.fury.io/netdevops  Translation-en
Ign https://apt.fury.io/netdevops  Contents (deb)
Ign https://apt.fury.io/netdevops  Contents (deb)
Fetched 11.4 kB in 3s (3,650 B/s)
                                         
# 

All good

And clean-up before finishing:

$ sudo apt-key del 65558117
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
$ sudo apt-key del 886DDD89
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
$