apt-key
Manage trusted APT keys
TLDR
List trusted keys
Add a key to the trusted keystore
Delete a key from the trusted keystore
Add a remote key to the trusted keystore
Add a key from keyserver with only key ID
SYNOPSIS
apt-key [options] command [keyid | filename]
Common commands:
apt-key add filename
apt-key del keyid
apt-key list
apt-key export keyid
apt-key update
apt-key net-update
Options:
--keyring filename (specifies an alternative keyring file)
PARAMETERS
add
Adds a GPG public key from filename to the trusted keyring. The key is typically added to `/etc/apt/trusted.gpg` or a file under `/etc/apt/trusted.gpg.d/`.
del
Deletes a GPG key identified by its keyid from the trusted keyring. This removes its trust for package verification.
list
Lists all keys currently stored in the trusted keyring, displaying their ID, type, size, creation date, and user ID.
export
Exports a specific GPG key identified by its keyid to standard output. Useful for sharing or backing up keys.
update
Updates the local APT keyring with new keys from a predefined keyserver (functionality largely removed in recent APT versions).
net-update
Similar to `update`, but uses APT's network configuration for key fetching (also largely removed).
--keyring
Specifies an alternative GPG keyring file to operate on instead of the default global keyrings.
DESCRIPTION
The `apt-key` command was historically used to manage the list of trusted GPG (GNU Privacy Guard) keys for the Advanced Package Tool (APT) on Debian-based Linux distributions. These keys are crucial for verifying the authenticity and integrity of software packages downloaded from repositories.
When a key was added using `apt-key`, it was placed into a global keyring (e.g., `/etc/apt/trusted.gpg` or `/etc/apt/trusted.gpg.d/`). This allowed APT to verify signatures of packages from any repository whose signing key was present in this global keyring. However, this global trust model presented a significant security vulnerability, as a compromised key could allow an attacker to sign malicious packages for any repository.
Due to these security concerns, `apt-key` has been largely deprecated in favor of a more secure, per-repository key management approach using the `signed-by` option in `sources.list` entries.
CAVEATS
DEPRECATED: The `apt-key` command is officially deprecated. Its use for adding new keys is strongly discouraged due to security vulnerabilities.
Global Trust Issue: Keys added via `apt-key` become globally trusted for all APT repositories. If a globally trusted key is compromised, it could be used to sign malicious packages for any repository, not just the one it originated from.
Modern Approach: For securely adding repository keys, the recommended method is to use the `signed-by` option within `/etc/apt/sources.list.d/*.list` entries, pointing to a specific key file (e.g., `.gpg` or `.asc`) stored in `/etc/apt/keyrings/`.
WHY APT-KEY IS DEPRECATED AND THE MODERN APPROACH
The deprecation of `apt-key` stems from its design flaw of creating a global trust store. Any key added via `apt-key` effectively grants permission to sign packages from any repository on the system, regardless of its origin. This means that if you add a key for a single third-party repository and that key is later compromised, it could be used to sign malicious packages that APT would blindly trust from any other repository you have configured.
The modern, secure alternative involves using the `signed-by` option in your `/etc/apt/sources.list.d/*.list` files. Instead of adding keys globally, you explicitly specify which key is allowed to sign packages for a particular repository. For example: deb [signed-by=/etc/apt/keyrings/example-archive-keyring.gpg] https://example.com/debian stable main
This ensures that the `example-archive-keyring.gpg` key is only trusted for packages coming from `https://example.com/debian`. This targeted trust significantly reduces the attack surface and improves the overall security posture of your system's package management.
HISTORY
Initially, `apt-key` was the primary tool for managing PGP/GPG keys used by APT to authenticate packages. It simplified the process of adding repository keys by placing them in a single, global keyring (e.g., `/etc/apt/trusted.gpg`).
Over time, as APT grew more sophisticated and security best practices evolved, the global trust model of `apt-key` was identified as a security risk. If a single key in the global keyring were compromised, it could undermine the security of the entire system by allowing an attacker to impersonate any repository.
Beginning with APT version 1.1 (released in 2015), `apt-key` started to be deprecated. Subsequent versions, particularly APT 2.1+, strongly pushed for a new, more secure paradigm: individual keys should be explicitly associated with specific repository entries using the `signed-by` option in `sources.list` files, and these keys should be stored in a dedicated directory like `/etc/apt/keyrings/` for better scoping and management. Functionality like `apt-key update` and `apt-key net-update` has also been removed from newer APT versions (2.4+).