This warning appears when apt-key runs in a non-interactive environment (like Docker or scripts). While non-critical, it indicates you should migrate away from deprecated apt-key to the new GPG-based key management method for better security.
This warning occurs when the apt-key command executes in a non-terminal environment (such as in Docker containers, CI/CD pipelines, or automated scripts). The warning tells you not to parse the output of apt-key, which suggests the tool is not designed for programmatic use in non-interactive contexts. The deeper issue is that apt-key has been deprecated since Debian 11 and Ubuntu 20.10. It adds keys to a global trusted keyring (/etc/apt/trusted.gpg), meaning any key can sign packages from any repository on the systemβa significant security risk. The modern approach ties keys to specific repositories instead, preventing unauthorized key usage.
If you need a quick fix while still using apt-key, set the environment variable to suppress the warning in your Dockerfile or script:
ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEYIDOr in a shell script:
export APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=DontWarn
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEYIDThis silences the warning but does not address the underlying deprecation issue.
Instead of using apt-key, download the GPG key directly to /etc/apt/keyrings/ and reference it in your sources file. This is the modern, secure approach.
Option A: Download and save a GPG key:
curl -fsSL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xKEYID | sudo gpg --dearmor -o /usr/share/keyrings/example-keyring.gpgOption B: Convert existing key from deprecated location:
sudo apt-key export KEYID | sudo gpg --dearmor -o /usr/share/keyrings/example-keyring.gpgThen update your sources.list or create a new file in /etc/apt/sources.list.d/:
# Old way (deprecated)
deb https://example.com/repo stable main
# New way (modern)
deb [signed-by=/usr/share/keyrings/example-keyring.gpg] https://example.com/repo stable mainHere's a complete example for a Dockerfile using the modern approach:
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y curl gnupg
# Download the GPG key directly without using apt-key
RUN curl -fsSL https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xYOURKEYID | gpg --dearmor -o /usr/share/keyrings/example-keyring.gpg
# Create sources list with the signed-by parameter
RUN echo "deb [signed-by=/usr/share/keyrings/example-keyring.gpg] https://example.com/repo stable main" > /etc/apt/sources.list.d/example.list
# Now apt-get update won't show deprecation warnings
RUN apt-get update
RUN apt-get install -y desired-packageAfter migrating to the new method, optionally remove old keys from the global keyring:
# List all keys in the deprecated location
sudo apt-key list
# Remove a specific key (use the last 8 digits of the fingerprint)
sudo apt-key del KEYID
# Or export the full fingerprint
sudo apt-key del "DBEA 6B52 81D0 C816 F630 E889 D980 A174 57F6 FB86"This cleanup step is optional but recommended for security and system hygiene.
Security Context: The deprecation of apt-key addresses a real security vulnerability. When a key is added to the global trusted keyring, it can be used to verify packages from any repository configured on the system. This means a compromised third-party repository could potentially replace system packages. The new method ties keys to specific repositories via the signed-by parameter, preventing unauthorized key usage.
Distro Differences: Ubuntu 22.04+ and Debian 11+ strongly encourage the new method. Older systems may still rely on apt-key, but migration is recommended before end-of-life.
Docker Best Practices: In Docker images, prefer downloading keys directly with curl/wget and gpg --dearmor rather than using apt-key, even if you suppress the warning. This follows current container best practices and reduces image size.
CI/CD Note: If running in GitHub Actions, GitLab CI, or similar platforms, the non-terminal environment will always trigger this warning with apt-key. Using the GPG-based approach eliminates the warning entirely.
E: Cannot set to hold: package 'package-name' is not installed
How to fix "Cannot set to hold" error when package is not installed in APT
debconf: unable to initialize frontend: Dialog
How to fix "debconf: unable to initialize frontend: Dialog" in APT
E: Could not connect to proxy server
Could not connect to proxy server
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt