add-apt-key

add-apt-key [--keyring KEYRING] [--dearmor] FILE

--keyring MAINKEYRING
    Store key in specified keyring file instead of default /etc/apt/trusted.gpg

--dearmor
    Convert ASCII-armored key to binary format before import

FILE
    Path to GPG key file; use - for stdin

add-apt-key (typically invoked as apt-key add) imports a GPG public key into APT's trusted keyring, usually /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/. This allows apt to verify signatures on packages from third-party repositories.

Commonly used in installation scripts for PPAs or external repos, e.g.:
curl -fsSL https://example.com/archive-keyring.gpg | sudo apt-key add -

The command reads binary or ASCII-armored key data from a file or stdin ('-'). It extracts and stores the public key components, enabling secure package downloads.

Requires root privileges. On success, outputs 'OK'. Widely used historically but now deprecated due to security concerns: global keyrings trust keys across all repos, risking MITM attacks if a key is compromised.

Modern APT (1.4+) recommends repository-specific keyrings in /etc/apt/keyrings/ with [signed-by=] in sources.list for better isolation.

Deprecated: Avoid in new code; apt-key will be removed. Global keyring risks trusting malicious keys system-wide. Use apt-secure(8) methods. Still functional in Ubuntu 22.04/Debian 12 but emits warnings.

gpg --dearmor -o /etc/apt/keyrings/example.gpg key.asc
echo 'deb [signed-by=/etc/apt/keyrings/example.gpg arch=amd64] https://example.com/repo /' | sudo tee /etc/apt/sources.list.d/example.list

Verify key fingerprints before adding. Global trusted.gpg bypasses per-repo checks, vulnerable if repo key leaks.

Introduced in APT 0.7.10 (2007) for easy key management. Deprecated in APT 1.4 (2017) favoring per-repo keys. Phased out in Debian 12/Ubuntu 24.04 plans; legacy support remains.

apt-key(8), gpg(1), apt(8), apt-secure(8)