This warning appears when APT keys are stored in the deprecated /etc/apt/trusted.gpg file instead of the new /etc/apt/keyrings directory. While it doesn't block updates, apt-key is deprecated and will be removed in future Ubuntu/Debian versions.
This warning indicates that one or more PPA or repository GPG keys are stored in the legacy /etc/apt/trusted.gpg keyring file instead of the modern /etc/apt/keyrings directory. The apt-key tool, which managed these keys, has been deprecated since APT 2.4 in favor of individual key files. The security concern is that keys in the legacy trusted.gpg are trusted globally across all repositories on your system, allowing any third-party repository to replace any package.
First, identify which keys are stored in the legacy location:
sudo apt-key listThis will show all keys with their fingerprints and which repositories they are associated with.
From the output of apt-key list, locate the key associated with the PPA mentioned in your warning message. You need the last 8 characters of the key ID (without spaces). For example, if the fingerprint is "DB08 5A08 CA13 B8AC B917 E0F6 D938 EC0D 0386 51BD", the key ID is "038651BD".
Export the key from the legacy keyring and save it to the proper modern location:
sudo apt-key export <KEY_ID> | sudo gpg --dearmor -o /etc/apt/keyrings/<descriptive_name>.gpgReplace <KEY_ID> with the 8-character key ID and <descriptive_name> with something descriptive like "ppa-ubuntu-mozilla-security" or "ppa-deadsnakes".
Edit the corresponding sources list file, typically found in /etc/apt/sources.list.d/:
sudo nano /etc/apt/sources.list.d/<repository-file>.listFind the line starting with "deb" and add the signed-by directive. Change from:
deb http://ppa.launchpad.net/user/ppa/ubuntu focal mainTo:
deb [signed-by=/etc/apt/keyrings/<descriptive_name>.gpg] http://ppa.launchpad.net/user/ppa/ubuntu focal mainIf the file uses the newer DEB822 format (deb822), add a new line instead: Signed-By: /etc/apt/keyrings/<descriptive_name>.gpg
After updating the repository configuration, remove the old key from the deprecated trusted.gpg:
sudo apt-key del <KEY_ID>Where <KEY_ID> is the same 8-character key ID used earlier.
Run apt update to confirm the warning is resolved:
sudo apt updateThe warning for the migrated key should no longer appear. Repeat steps 2-5 for any remaining keys generating warnings.
For new PPAs or repositories, use the modern method directly: curl -sS https://example.com/key.gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/example.gpg then add the signed-by directive to sources. The legacy trusted.gpg file trusted keys globally across all repositories for security, a risk that individual key files with signed-by eliminate. apt-key will be unavailable after Debian 11 and Ubuntu 22.04 LTS, making this migration essential for long-term system maintenance. The /etc/apt/keyrings directory is the preferred modern location, while /etc/apt/trusted.gpg.d is still supported but less secure than signed-by usage.
E: Cannot set to hold: package 'package-name' is not installed
How to fix "Cannot set to hold" error when package is not installed in APT
debconf: unable to initialize frontend: Dialog
How to fix "debconf: unable to initialize frontend: Dialog" in APT
E: Could not connect to proxy server
Could not connect to proxy server
dpkg: serious warning: files list file for package 'package-name' contains empty filename
How to fix "files list file contains empty filename" in APT
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt