apt-key

Manage trusted APT keys

TLDR

List trusted keys

$ apt-key list

Add a key to the trusted keystore

$ apt-key add [public_key_file.asc]

Delete a key from the trusted keystore

$ apt-key del [key_id]

Add a remote key to the trusted keystore

$ wget [[-qO|--quiet --output-document]] - [https://host.tld/filename.key] | apt-key add -

Add a key from keyserver with only key ID

$ apt-key adv --keyserver [pgp.mit.edu] --recv [KEYID]

SYNOPSIS

apt-key [options] {command | update | net-update}

add
    Add key(s) from (or stdin) to the trusted keyring

del
    Remove key(s) matching from the keyring

list
    List keys and fingerprints in the trusted keyring

export []
    Export specified key(s) or all to stdout

exportall []
    Export all keys or specified ones, including subkeys

fingerprint []
    Show fingerprints for key(s)

adv --keyserver --recv-keys
    Advanced: Receive keys from keyserver

adv --keyserver --export
    Advanced: Export keys to keyserver

--keyring
    Use alternative keyring file instead of trusted.gpg

--quiet
    Quiet mode, no progress indicator

--recv-keys
    Download and add keys from default keyserver

--keyserver
    Specify keyserver URL

update
    Deprecated: Refresh keyring (use apt update)

net-update
    Deprecated: Update keys from keyserver

DESCRIPTION

The apt-key command is a tool for adding, removing, listing, exporting, and managing GPG keys used by the APT package manager to verify the authenticity and integrity of packages from configured repositories. It operates on the global keyring, traditionally /etc/apt/trusted.gpg, which holds keys implicitly trusted across all repositories.

Common use cases include importing keys from keyserver or local files to enable secure package installation from third-party sources, such as PPAs in Ubuntu. For example, downloading a key and adding it with apt-key add allows APT to check signatures on Release files and packages.

However, apt-key is deprecated since Debian 11 (Bullseye) and Ubuntu 22.04 due to security risks: mixing keys in a single file makes it hard to scope trust per repository, potentially exposing systems to compromised keys affecting unrelated repos. Modern best practice is to download keys to /etc/apt/keyrings/ and use the signed-by option in per-repo sources.list files for isolated verification.

Despite deprecation, it remains available for legacy support but issues warnings on use.

CAVEATS

Deprecated and insecure: Implicitly trusts keys for all repositories. Use debsig-verify(1) or per-repo signed-by instead. Will be removed in future APT versions; triggers warnings on modern systems.

MIGRATION GUIDE

To migrate:
1. wget -O- key-url | gpg --dearmor -o /etc/apt/keyrings/repo.gpg
2. Add to sources.list.d: deb [signed-by=/etc/apt/keyrings/repo.gpg] uri suite comp
Use apt update to test.

HISTORY

Introduced in Debian with APT 0.5 (circa 2004) to simplify GPG key management for dpkg/apt. Widely used for PPAs and third-party repos. Deprecated in 2020 (APT 2.0+) due to security model flaws; phased out in Debian 12 and Ubuntu 24.04, with legacy support only.