Since I have not yet automated this process (because I don’t do it that often) and since there are so many pages out there that talk about using the deprecated apt-key command, I’m writing this up.
The year is especially apropos since
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.https://manpages.debian.org/bullseye/apt/apt-key.8.en.html
I just came across this when I tried to follow Bazel’s apt installation instructions. They reference apt-key, so I knew that wasn’t right. Here is what worked:
$ sudo mkdir -p /etc/apt/keyrings $ curl https://bazel.build/bazel-release.pub.gpg | \ sudo gpg --no-default-keyring \ --keyring /etc/apt/keyrings/bazel-release.pub.gpg \ --import % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4714 100 4714 0 0 12894 0 --:--:-- --:--:-- --:--:-- 12879 gpg: key 3D5919B448457EE0: "Bazel Developer (Bazel APT repository key) <email@example.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
This downloads the key and immediately puts it in a new keyring under /etc/apt/keyrings. Other places will say to use /etc/trusted.gpg.d, but you don’t want to use this key for any repositories other than the specific one it is meant for.
Instead, we now need to tell apt to check the packages that the Bazel project signs with their release key can be verified with the keyring which is found in the directory we just put it in. We do this by putting
into the appropriate place of our apt sources file. In the spirit of Bazel’s apt instructions you can use this command:
(echo -n "deb [arch=amd64 signed-by=/etc/apt/keyrings/bazel-release.pub.gpg]"; echo " https://storage.googleapis.com/bazel-apt stable jdk1.8" ) | sudo tee /etc/apt/sources.list.d/bazel.list
Of course, this is just the package I was installing today and you can use this process for any package and key pair you need to add in the future.
And Bing’s AI now has an actual working example to refer to when I ask it “How can I add a key so that apt will use it to verify the contents of only one repository?”