Hi,
I recently upgraded to Mint Cinnamon 21 from 20.3. I got the following message recently while performing an ‘sudo add-apt-repository ppa:xtradeb/apps’
“Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).”
I found a possible solution for the keyring problem at;
But I don’t quite understand what the problem / warning is, except that it has something to do with security.
When I ‘sudo apt-key list’, I had several item listed. Apparently, something has changed from Mint 20 to 21. Does “deprecated” mean ‘out of date’, unsecured, or ‘not used’?
If it is a security issue, I wonder why Mint would even allow it to be done since there seems to be a way to fix it.
Deprecated means, something better is taking its place and the deprecated object is phased out over time, used less & less and at some point it will disappear completely.
General rule of thumb:
Once something is deprecated, stop using it as soon as possible. You will lose it at some point anyway, so it’s better to get used to the new method better sooner, than later.
Some more help needed. I read the article, but I am doing something wrong or don’t understand. Is every item listed after the command ‘sudo apt-key list’ needs to be taken care of / corrected?
My first item listed is;
pub rsa1024 2013-06-24 [SC]
56E0 9F98 278D 83F6 3047 5E16 FFE1 FFFF AFEC 55BB
uid [ unknown] Launchpad PPA for Stefan Sundin
When I follow the instructions and perform;
sudo apt-key export AFEC55BB | sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/Launchpad.gpg
I get;
gpg: WARNING: no command supplied. Trying to guess what you mean …
usage: gpg [options] [filename]
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: [stdout]: write error: Broken pipe
gpg: filter_flush failed on close: Broken pipe
Thanks @Akito, doing the export command by itself works fine. I might have a bad character in my copy / paste. I will try again without doing the copy paste.
What can / should I do about this software / entry?
Yes, @Akito. Thank you, I got it to work.
But on the software with the bad security. I could try to ID it and uninstall it.
I also saw where PPA’s were listed under Software Sources in Mint’s Update Manager and could be enable / disable with a check mark. Could I also disable them there?
The software itself is not related to it. The problem is, that, when updating it through the maintainer’s PPA channel, you will use that insecure key you saw above, for authentication purposes.
So, in theory, someone could let you install malicious software, if he chooses to exploit the weak key, for example.
Though, all that said, the chance of this happening is very low for a normal end-user.
The primary reason I mentioned the low security in the first place is, that I had trouble in the past regarding weak keys. I had trouble managing them, because they did not seem to work the same way with gpg as normally sized keys.
The secondary reason is, that I was surprised he would use such a low security key. The lowest, one should use now is 2048.
I personally never go lower than 4096.
Therefore, it’s not a big issue for you, right now.
Though, if it bothers you, just ask the maintainer for a better key.
He should have a newer one anyway.
Good to know. Could I even lower the odds by disabling the PPA in Linux update? Meaning, if I understand it correctly, after the software is install, it can not be updated. Therefore, no one else could use the weak key.
My desktop machine was showing the exact same thing - due to how I’d installed Resilio Sync…
I stopped RSL, removed it.
Deleted the entries in files in /etc/apt/ (and deleted specific files for their repo).
Downloaded the DEB and installed via dpkg - and deprecated warning went away… it’s a mostly harmless warning, but the untidyness bothered my autism-spectrum OCD
Disabling would fix the security issue. If you don’t try to update, it won’t use the key. If it won’t use the key, it’s useless and cannot be exploited.
@easyt50 I covered this topic a couple of weeks ago.
Remember that it is a warning, not an error. You can ignore it and continue using it like before if you don’t want to trouble yourself with manually adding the repository keys with gpg.
Basically, the apt-key mechanism will be going away in future versions and things will change around it.
Unfortunately, there is no straightforward replacement of apt-key at the moment.
