apt-secure

apt-secure update [options]

--allow-releaseinfo-change
    Permit updates even if Release file info (like key lists) has changed

--ignore-missing
    Skip repositories lacking a Release file; do not error out

apt-secure is a utility in Debian-based systems that manages GPG keys for APT repositories securely. Primarily invoked as apt-secure update, it examines configured sources in /etc/apt/sources.list and /etc/apt/sources.list.d/, verifies Release file signatures, and acquires any missing public keys referenced therein.

It ensures protection against man-in-the-middle attacks by validating repository metadata before allowing package downloads. Keys are stored in individual files under /etc/apt/trusted.gpg.d/, replacing the deprecated monolithic /etc/apt/trusted.gpg. This command is automatically called by apt update during normal operation but can be run manually to refresh keys, especially after repository changes or key rotations.

By default, it aborts if Release file information changes (e.g., new keys added), preventing unexpected key imports. This design promotes security by requiring explicit approval for changes. apt-secure integrates with APT's overall security model, enforcing verified signatures on Release, Packages, and other index files.

Not intended for direct root execution; run via apt update. Fails if signatures invalid or keys untrusted. Deprecated apt-key workflows should migrate here.

Typically automatic via apt update. Manual run: apt-secure update --allow-releaseinfo-change after repo changes.
Verify keys: apt-key list (deprecated) or gpg --list-keys --keyring /etc/apt/trusted.gpg.d/*.gpg.

Introduced in APT 1.1 (2017) to decentralize key storage. Enhanced in APT 1.4+ amid apt-key deprecation (fully removed in APT 2.0+). Focuses on per-key files for better security and maintenance.

apt(8), apt-key(8), apt-get(8), sources.list(5)