This warning appears when apt finds GPG keys in the deprecated /etc/apt/trusted.gpg file instead of the modern /etc/apt/trusted.gpg.d/ directory. While not blocking updates, it indicates outdated key management that should be migrated to comply with current security practices.
The "Key is stored in legacy trusted.gpg keyring" warning indicates that one or more GPG keys used to verify package authenticity are stored in the deprecated /etc/apt/trusted.gpg file. This file was the standard location for apt key storage before APT 2.4 introduced the /etc/apt/trusted.gpg.d/ directory and /etc/apt/keyrings/ location. This is a deprecation warning, not an error. Your system updates will continue working normally. However, the warning signals that your repository key configuration is outdated. Starting from Debian 11 and Ubuntu 22.04 LTS, apt-key itself is deprecated and will eventually be removed. The warning becomes more critical on newer systems as they encourage moving to per-repository key management instead of storing all keys in a single global keyring. The difference is important for security: the old trusted.gpg approach trusts keys globally for any repository, while the modern approach allows specifying which key should be trusted for which specific repository.
First, see which keys are stored in the legacy location:
sudo apt-key listThis shows all GPG keys, including those in /etc/apt/trusted.gpg. Each key entry shows its fingerprint. The last 8 characters of the fingerprint are the key ID you'll need later.
You can also check the file directly:
ls -la /etc/apt/trusted.gpg
file /etc/apt/trusted.gpgFor a temporary solution that removes the warning immediately, simply copy the legacy keyring file to the new directory:
sudo cp /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/This works because apt will check both locations. The warning disappears because apt finds keys in the new preferred location.
Note: This is not the most elegant solution (it copies all keys rather than organizing them), but it works for development environments and quick fixes.
For each key that triggered the warning, export it to the new individual key location:
# Get the full fingerprint of the key you want to migrate
sudo apt-key fingerprint
# Export the key (replace KEY_ID with the last 8 chars of fingerprint)
sudo apt-key export KEY_ID | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/repository-name.gpgExample - if you have a Docker repository key:
# Export Docker's GPG key to the new location
sudo apt-key export 0EBFCD88 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg
# Then remove it from the old location
sudo apt-key --keyring /etc/apt/trusted.gpg del 0EBFCD88The proper approach involves:
1. Exporting each key individually to /etc/apt/trusted.gpg.d/ with a descriptive name
2. Updating the repository source files to reference the new key location
3. Removing the key from the legacy trusted.gpg file
After exporting a key, update the corresponding repository file to reference it explicitly. Repository files are typically in /etc/apt/sources.list.d/
For DEB822 format (newer style):
# Edit the repository configuration file
sudo nano /etc/apt/sources.list.d/docker.sources
# Add or update the Signed-By field:
Signed-By: /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg
deb https://download.docker.com/linux/ubuntu jammy stableFor traditional one-line format:
sudo nano /etc/apt/sources.list.d/docker.list
# Change from:
# deb https://download.docker.com/linux/ubuntu jammy stable
# To:
deb [signed-by=/etc/apt/trusted.gpg.d/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu jammy stableAfter updating, run:
sudo apt updateThe warning should no longer appear for that repository.
After migrating keys, confirm the warning is gone:
sudo apt updateYou should see no warnings about legacy keyring. Check that new keys are in the correct location:
ls -la /etc/apt/trusted.gpg.d/
sudo gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg --list-keysIf the legacy trusted.gpg file is now empty (or no longer needed), you can safely remove it:
# First, back it up just in case
sudo cp /etc/apt/trusted.gpg /etc/apt/trusted.gpg.backup
# Then remove it if all keys have been migrated
sudo rm /etc/apt/trusted.gpgIf you're using Docker or other tools that set up repositories automatically, they may be using the legacy apt-key method. Update your setup scripts:
Old way (deprecated):
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable" | sudo tee /etc/apt/sources.list.d/docker.listNew way (modern):
# Download the key to the keyrings directory
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg
# Add repository with signed-by reference
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu jammy stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get updateUpdate your Dockerfiles and CI/CD scripts to use the modern approach. This ensures new systems won't generate warnings.
APT 2.4 and the new keyrings directory: Starting with APT 2.4, the recommended location for GPG keys is /etc/apt/keyrings/ (not /etc/apt/trusted.gpg.d/). The keyrings directory is for keys managed outside of packages, while trusted.gpg.d/ is for package-managed keys. In practice, trusted.gpg.d/ still works fine and is widely used.
apt-key deprecation timeline:
- Debian 11 and Ubuntu 22.04: apt-key is still available but deprecated
- Debian 12 and Ubuntu 24.04: apt-key may be removed
- Plan to migrate before these versions reach your systems
Automating the migration in Dockerfiles: For containerized environments, use the modern method from the start:
FROM ubuntu:22.04
# Install key to new location and add repository in one step
RUN apt-get update && apt-get install -y curl gnupg && \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmour -o /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg && \
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu jammy stable" > /etc/apt/sources.list.d/docker.list && \
apt-get update && apt-get install -y docker-ceMultiple key management in CI/CD: If managing many repository keys, create a consistent naming scheme:
- docker-archive-keyring.gpg
- kubernetes-archive-keyring.gpg
- postgresql-archive-keyring.gpg
This makes it easy to identify which key belongs to which repository.
DEB822 format: Modern apt supports DEB822 format for repository files (.sources extension). This format is cleaner and more explicit:
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: jammy
Components: stable
Signed-By: /etc/apt/trusted.gpg.d/docker-archive-keyring.gpgPrefer DEB822 format when setting up new repositories on modern systems.
Verifying key integrity: After importing a key, verify its fingerprint matches the official source:
# Show fingerprint of imported key
sudo gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/docker-archive-keyring.gpg --fingerprint
# Compare with official Docker key fingerprint: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88E: Cannot set to hold: package 'package-name' is not installed
How to fix "Cannot set to hold" error when package is not installed in APT
debconf: unable to initialize frontend: Dialog
How to fix "debconf: unable to initialize frontend: Dialog" in APT
E: Could not connect to proxy server
Could not connect to proxy server
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt