Menu
I am facing a problem on Ubuntu 18.04 (Bionic Beaver) with apt and the way it deals with trusted keys to authenticate repositories.
On Ubuntu 14.04 we used to install the key that was used sign the repository of our software releases as keyring to /etc/apt/trusted.gpg.d. By this apt knows that the key is trusted.
However, this seems to not work anymore on Ubuntu 18.04. If I do the same there, I get an error during updating:
# apt-get update
Hit:1 http://company.com/ubuntu-snapshot bionic InRelease
Reading package lists... Done
W: http://company.com/ubuntu-snapshot/dists/bionic/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/company-keys.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
The obvious attempt to fix it by
# sudo chown -v _apt /etc/apt/trusted.gpg.d/company-keys.gpg
changed ownership of '/etc/apt/trusted.gpg.d/company-keys.gpg' from root to _apt
does not work, as apt-get update then yields:
# apt-get update
Hit:1 http://company.com/ubuntu-snapshot bionic InRelease
Reading package lists... Done
W: http://company.com/ubuntu-snapshot/dists/bionic/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/company-keys.gpg are ignored as the file has an unsupported filetype.
The key itself is valid, if I add it with the following line everything works as expected:
wget -O - http://company.com/key.gpg | sudo apt-key add -
The latter is unfortunately not an option for us since we want to deploy our own keys and also have the ability to change/revoke them.
I could neither figure out why apt rejects the keyring in /etc/apt/trusted.gpg.d, nor could I find a changelog describing different expectations of apt for the new Ubuntu version. Would be very glad if you point to some resource to overcome this issue.
494
It sounds like your key file (/etc/apt/trusted.gpg.d/company-keys.gpg) is an unsupported format. The apt-key man page explains what's supported:
apt-key supports only the binary OpenPGP format (also known as "GPG key public ring") in files with the "gpg" extension, not the keybox database format introduced in newer gpg(1) versions as default for keyring files. Binary keyring files intended to be used with any apt version should therefore always be created with gpg --export.
Alternatively, if all systems which should be using the created keyring have at least apt version >= 1.4 installed, you can use the ASCII armored format with the "asc" extension instead which can be created with gpg --armor --export.
To check the file format, run file /etc/apt/trusted.gpg.d/company-keys.gpg If it says "GPG key public ring" then I would expect it to work and I can't explain the problem you're seeing.
If it says "GPG keybox database" then the problem is the file format. You can convert it with this command (thanks to @Wildcard for including this in his answer):
gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/company-keys.gpg --export > /etc/apt/trusted.gpg.d/company-keys.fixed.gpg
If you see this problem repeatedly then you may wish to check how you're installing your key to /etc/apt/trusted.gpg.d/. I had a problem where attempting to list the contents of the keyring by running gpg --keyring /etc/apt/trusted.gpg.d/mine.gpg was causing the file to be created as an unsupported keybox file. Subsequently adding the key to that keyring didn't allow the key to be used.
Also worth noting that there's apparently no reason to use apt-key add. From the man page:
Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.
So if you're using apt-key add you could consider copying the file directly instead.
175
You can use gpg's --dearmor option to convert ASCII-armored keys, the ones rejected by apt in trusted.gpg.d to the binary format, which is what apt expects.
gpg --dearmor keyfile
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
