<!DOCTYPE html>
Investigating some apt-get update warnings.
Created by Steven Baltakatei Sandoval on under a CC BY-SA 4.0 license and last updated on 2020-01-27T15:58Z.
The Problem
I wanted to share some of my observations while upgrading a Debian Stretch installation which I haven't touched in a while beyond running security updates.
After upgrading a machine from Stretch (Debian 9) to Buster (Debian 10) and updating my /etc/apt/sources.list file to match this Debian page, I found that running # apt-get update resulted in some warnings (the lines beginning with W::
/etc/apt# apt-get update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian-security buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
W: http://deb.debian.org/debian/dists/buster/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
W: http://deb.debian.org/debian-security/dists/buster/updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
W: http://deb.debian.org/debian/dists/buster-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
I was a bit concerned that the # apt-get update operation may have failed (hindsight: it didn't for reasons below).
The Investigation
I checked the contents of /etc/apt/ since this is where things seemed to be going wrong. I found that the directory contained some .gpg files within the /etc/apt/trusted.gpg.d/ directory. After some searching I found a way to check how apt manages gpg keys: by running # apt-key list I can see what public keys apt uses to check package signatures and, more importantly, where these keys are stored. All entries were located across several keyring files stored within the /etc/apt/trusted.gpg.d/ directory:
/etc/apt# apt-key list
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
uid [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
uid [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010
uid [ unknown] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906
uid [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1
uid [ unknown] Jessie Stable Release Key <debian-release@lists.debian.org>
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
uid [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
6ED6 F5CB 5FA6 FB2F 460A E88E EDA0 D238 8AE2 2BA9
uid [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500
uid [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>
W: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype.
Again, that W: warning appears at the end. My guess is that the package debian-archive-keyring I had installed at some point had populated my /etc/apt/trusted.gpg.d/ directory with all these keys. But why won't apt-get read /etc/apt/trusted.gpg? How can I read this trusted.gpg file? $ cat trusted.gpg yields a mostly binary blob so I'm guessing it's an exported public key that isn't ASCII-armored. Since that Debian Apt page included gpgv --keyring /etc/apt/trusted.gpg as part of a larger command, and since $ man gpgv shows that gpgv is just gpg focused on verifying stuff, I decided to try running:
# gpg --keyring /etc/apt/trusted.gpg
This resulted in:
# gpg --keyring /etc/apt/trusted.gpg -k
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
E1CF20DDFFE4B89E802658F1E0B11894F66AEC98
uid [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
pub rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
6ED6F5CB5FA6FB2F460AE88EEDA0D2388AE22BA9
uid [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub rsa4096 2017-05-22 [S] [expires: 2025-05-20]
pub rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
uid [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>
So, for some reason, gpg can read /etc/apt/trusted.gpg but apt-get says it cannot. Or rather, apt-get specifically warns that "The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file has an unsupported filetype". That Debian Apt page indicated that the /etc/apt/trusted.gpg.d/ directory is where keyrings should be stored for versions of Debian including Wheezy (Debian 7) and newer:
In more recent Debian GNU/Linux versions (Wheezy, for example), the keyrings are stored in specific files all located in the /etc/apt/trusted.gpg.d directory
So, the story I have now formed in my mind is that this older Debian machine had at one point been configured to keep some repository pgp public keys in /etc/apt/trusted.gpg. Then, in a later upgrade, repository keys were installed across separate individual keyring files in /etc/apt/trusted.gpg.d/ instead. The /etc/apt/trusted.gpg file was never removed in any upgrade process. At some point, Debian developers changed apt-get to no longer use the /etc/apt/trusted.gpg keyring for storing any public keys (and to instead have new installations store them in trusted.gpg.d). In other words, trusted.gpg was effectively deprecated and only served to annoy apt by existing.
Therefore, I decided to take some advice from 2017-07-31 and remove trusted.gpg with:
# cp -p /etc/apt/trusted.gpg /etc/apt/trusted-20200127snapshot.gpg
# rm /etc/apt/trusted.gpg
Now # apt-get update runs cleanly with no warnings:
/etc/apt# apt-get update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian-security buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
Summary
Debian 10 (Buster) uses apt which doesn't appear to support storing repository public keys in /etc/apt/trusted.gpg anymore. Instead, public keys are stored across separate keyring files stored within the /etc/apt/trusted.gpd.d directory. When upgrading an older Debian installation to Stretch to Buster then:
- The
$ sudo apt-get updatecommand should be run to see that no errors appear that indicate that public keys are missing (only that/etc/apt/trusted.gpgis not supported). - The
sudo apt-get install debian-archive-keyringcommand should be run to make sure all current public keys are downloaded and stored within/etc/apt/trusted.gpg.d - The file
/etc/apt/trusted.gpgshould be renamed or removed.
References
- Upgrading Debian 10 to Debian 9
- Debian wiki article about
sources.list - GnuPG Handbook: Chapter 1. Getting Started
- Debian wiki article about
apt - Debian Forums thread about deleting
trusted.gpg
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.