Key deprecation

Hi,
I recently upgraded to Mint Cinnamon 21 from 20.3. I got the following message recently while performing an ‘sudo add-apt-repository ppa:xtradeb/apps’

“Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).”

I found a possible solution for the keyring problem at;

But I don’t quite understand what the problem / warning is, except that it has something to do with security.

When I ‘sudo apt-key list’, I had several item listed. Apparently, something has changed from Mint 20 to 21. Does “deprecated” mean ‘out of date’, unsecured, or ‘not used’?

If it is a security issue, I wonder why Mint would even allow it to be done since there seems to be a way to fix it.

2 Likes

Deprecated means, something better is taking its place and the deprecated object is phased out over time, used less & less and at some point it will disappear completely.

General rule of thumb:
Once something is deprecated, stop using it as soon as possible. You will lose it at some point anyway, so it’s better to get used to the new method better sooner, than later.

1 Like

Some more help needed. I read the article, but I am doing something wrong or don’t understand. Is every item listed after the command ‘sudo apt-key list’ needs to be taken care of / corrected?
My first item listed is;
pub rsa1024 2013-06-24 [SC]
56E0 9F98 278D 83F6 3047 5E16 FFE1 FFFF AFEC 55BB
uid [ unknown] Launchpad PPA for Stefan Sundin

pub rsa4096 2020-11-09 [SC]
5301 FA4F D932 44FB C6F6 1499 82BB 6851 C64F 6880
uid [ unknown] Launchpad PPA for xtradeb Ubuntu team

/etc/apt/trusted.gpg.d/linuxmint-keyring.gpg

When I follow the instructions and perform;
sudo apt-key export AFEC55BB | sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/Launchpad.gpg

I get;
gpg: WARNING: no command supplied. Trying to guess what you mean …
usage: gpg [options] [filename]
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
gpg: [stdout]: write error: Broken pipe
gpg: filter_flush failed on close: Broken pipe

I tested the command from the tutorial, which you used, and it worked perfectly fine for me.

There is something wrong with the command. Try executing only this.

sudo apt-key export AFEC55BB

Additionally, not sure if it’s related to it being an extremely weak and old key.

This is extremely insecure. Almost llike no encryption.

Thanks @Akito, doing the export command by itself works fine. I might have a bad character in my copy / paste. I will try again without doing the copy paste.

What can / should I do about this software / entry?

If that guy did not update his key and you still use his software, I’m afraid you can do nothing about it.

Did it work?


.
.

Yes, @Akito. Thank you, I got it to work.
But on the software with the bad security. I could try to ID it and uninstall it.

I also saw where PPA’s were listed under Software Sources in Mint’s Update Manager and could be enable / disable with a check mark. Could I also disable them there?

The software itself is not related to it. The problem is, that, when updating it through the maintainer’s PPA channel, you will use that insecure key you saw above, for authentication purposes.

So, in theory, someone could let you install malicious software, if he chooses to exploit the weak key, for example.

Though, all that said, the chance of this happening is very low for a normal end-user.

The primary reason I mentioned the low security in the first place is, that I had trouble in the past regarding weak keys. I had trouble managing them, because they did not seem to work the same way with gpg as normally sized keys.

The secondary reason is, that I was surprised he would use such a low security key. The lowest, one should use now is 2048.
I personally never go lower than 4096.

Therefore, it’s not a big issue for you, right now.
Though, if it bothers you, just ask the maintainer for a better key.
He should have a newer one anyway.

1 Like

Good to know. Could I even lower the odds by disabling the PPA in Linux update? Meaning, if I understand it correctly, after the software is install, it can not be updated. Therefore, no one else could use the weak key.

My desktop machine was showing the exact same thing - due to how I’d installed Resilio Sync…

I stopped RSL, removed it.

Deleted the entries in files in /etc/apt/ (and deleted specific files for their repo).

Downloaded the DEB and installed via dpkg - and deprecated warning went away… it’s a mostly harmless warning, but the untidyness bothered my autism-spectrum OCD :smiley:

1 Like

Disabling would fix the security issue. If you don’t try to update, it won’t use the key. If it won’t use the key, it’s useless and cannot be exploited.

That is because it didn’t add the third party repo.

You may have slight discomfort because the installed application from the deb file is likely to not get automatic updates.

@easyt50 I covered this topic a couple of weeks ago.

Remember that it is a warning, not an error. You can ignore it and continue using it like before if you don’t want to trouble yourself with manually adding the repository keys with gpg.

Basically, the apt-key mechanism will be going away in future versions and things will change around it.

Unfortunately, there is no straightforward replacement of apt-key at the moment.

1 Like