apt-key

List trusted keys

$ apt-key list

$ apt-key add [public_key_file.asc]

$ apt-key del [key_id]

$ wget [[-qO|--quiet --output-document]] - [https://host.tld/filename.key] | apt-key add -

$ apt-key adv --keyserver [pgp.mit.edu] --recv [KEYID]

apt-key [options] command [keyid | filename]

Common commands:
apt-key add filename
apt-key del keyid
apt-key list
apt-key export keyid
apt-key update
apt-key net-update

Options:
--keyring filename (specifies an alternative keyring file)

add
    Adds a GPG public key from filename to the trusted keyring. The key is typically added to `/etc/apt/trusted.gpg` or a file under `/etc/apt/trusted.gpg.d/`.

del
    Deletes a GPG key identified by its keyid from the trusted keyring. This removes its trust for package verification.

list
    Lists all keys currently stored in the trusted keyring, displaying their ID, type, size, creation date, and user ID.

export
    Exports a specific GPG key identified by its keyid to standard output. Useful for sharing or backing up keys.

update
    Updates the local APT keyring with new keys from a predefined keyserver (functionality largely removed in recent APT versions).

net-update
    Similar to `update`, but uses APT's network configuration for key fetching (also largely removed).

--keyring
    Specifies an alternative GPG keyring file to operate on instead of the default global keyrings.

The `apt-key` command was historically used to manage the list of trusted GPG (GNU Privacy Guard) keys for the Advanced Package Tool (APT) on Debian-based Linux distributions. These keys are crucial for verifying the authenticity and integrity of software packages downloaded from repositories.

When a key was added using `apt-key`, it was placed into a global keyring (e.g., `/etc/apt/trusted.gpg` or `/etc/apt/trusted.gpg.d/`). This allowed APT to verify signatures of packages from any repository whose signing key was present in this global keyring. However, this global trust model presented a significant security vulnerability, as a compromised key could allow an attacker to sign malicious packages for any repository.

Due to these security concerns, `apt-key` has been largely deprecated in favor of a more secure, per-repository key management approach using the `signed-by` option in `sources.list` entries.

DEPRECATED: The `apt-key` command is officially deprecated. Its use for adding new keys is strongly discouraged due to security vulnerabilities.

Global Trust Issue: Keys added via `apt-key` become globally trusted for all APT repositories. If a globally trusted key is compromised, it could be used to sign malicious packages for any repository, not just the one it originated from.

Modern Approach: For securely adding repository keys, the recommended method is to use the `signed-by` option within `/etc/apt/sources.list.d/*.list` entries, pointing to a specific key file (e.g., `.gpg` or `.asc`) stored in `/etc/apt/keyrings/`.

The deprecation of `apt-key` stems from its design flaw of creating a global trust store. Any key added via `apt-key` effectively grants permission to sign packages from any repository on the system, regardless of its origin. This means that if you add a key for a single third-party repository and that key is later compromised, it could be used to sign malicious packages that APT would blindly trust from any other repository you have configured.

The modern, secure alternative involves using the `signed-by` option in your `/etc/apt/sources.list.d/*.list` files. Instead of adding keys globally, you explicitly specify which key is allowed to sign packages for a particular repository. For example:

deb [signed-by=/etc/apt/keyrings/example-archive-keyring.gpg] https://example.com/debian stable main

This ensures that the `example-archive-keyring.gpg` key is only trusted for packages coming from `https://example.com/debian`. This targeted trust significantly reduces the attack surface and improves the overall security posture of your system's package management.

Initially, `apt-key` was the primary tool for managing PGP/GPG keys used by APT to authenticate packages. It simplified the process of adding repository keys by placing them in a single, global keyring (e.g., `/etc/apt/trusted.gpg`).

Over time, as APT grew more sophisticated and security best practices evolved, the global trust model of `apt-key` was identified as a security risk. If a single key in the global keyring were compromised, it could undermine the security of the entire system by allowing an attacker to impersonate any repository.

Beginning with APT version 1.1 (released in 2015), `apt-key` started to be deprecated. Subsequent versions, particularly APT 2.1+, strongly pushed for a new, more secure paradigm: individual keys should be explicitly associated with specific repository entries using the `signed-by` option in `sources.list` files, and these keys should be stored in a dedicated directory like `/etc/apt/keyrings/` for better scoping and management. Functionality like `apt-key update` and `apt-key net-update` has also been removed from newer APT versions (2.4+).

apt(8), apt-get(8), sources.list(5), gpg(1)