Apt Keys

Jun 12, 2021

When someone asks you to run apt-key add, don’t run it. It’s deprecated.

Let’s say they ask you to run this command:

$ curl -s https://example.com/apt-key | sudo apt-key add -

Instead, save the key to /usr/share/keyrings and dearmor it:

$ curl -s https://example.com/apt-key |
    gpg --dearmor |
    sudo tee /usr/share/keyrings/example-keyring.gpg >/dev/null

Then, add this key to the apt.sources.d entry. If the entry looks like this:

deb https://example.com/debian stable main

Then add signed-by attribute:

deb [signed-by=/usr/share/keyrings/example-keyring.gpg] https://example.com/debian stable main

If there’s already a section in square brackets:

deb [arch=amd64] https://example.com/debian stable main

Then add it to the existing brackets, separated with a space:

deb [signed-by=/usr/share/keyrings/example-keyring.gpg arch=amd64] https://example.com/debian stable main