Apt rejects keyrings in `/etc/apt/trusted.gpg.d` on Ubuntu 18.04

Question

I am facing a problem on Ubuntu 18.04 (Bionic Beaver) with apt and the way it deals with trusted keys to authenticate repositories.

On Ubuntu 14.04 we used to install the key that was used sign the repository of our software releases as keyring to /etc/apt/trusted.gpg.d. By this apt knows that the key is trusted.

However, this seems to not work anymore on Ubuntu 18.04. If I do the same there, I get an error during updating:

# apt-get update
Hit:1 http://company.com/ubuntu-snapshot bionic InRelease                     
Reading package lists... Done                                                     
W: http://company.com/ubuntu-snapshot/dists/bionic/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/company-keys.gpg are ignored as the file is not readable by user '_apt' executing apt-key.

The obvious attempt to fix it by

# sudo chown -v _apt /etc/apt/trusted.gpg.d/company-keys.gpg
changed ownership of '/etc/apt/trusted.gpg.d/company-keys.gpg' from root to _apt

does not work, as apt-get update then yields:

# apt-get update
Hit:1 http://company.com/ubuntu-snapshot bionic     InRelease                    
Reading package lists... Done                                                     
W: http://company.com/ubuntu-snapshot/dists/bionic/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/company-keys.gpg are ignored as the file has an unsupported filetype.

The key itself is valid, if I add it with the following line everything works as expected:

 wget -O - http://company.com/key.gpg | sudo apt-key add -

The latter is unfortunately not an option for us since we want to deploy our own keys and also have the ability to change/revoke them.

I could neither figure out why apt rejects the keyring in /etc/apt/trusted.gpg.d, nor could I find a changelog describing different expectations of apt for the new Ubuntu version. Would be very glad if you point to some resource to overcome this issue.

Answer 1

It sounds like your key file (/etc/apt/trusted.gpg.d/company-keys.gpg) is an unsupported format. The apt-key man page explains what's supported:

apt-key supports only the binary OpenPGP format (also known as "GPG key public ring") in files with the "gpg" extension, not the keybox database format introduced in newer gpg(1) versions as default for keyring files. Binary keyring files intended to be used with any apt version should therefore always be created with gpg --export.

Alternatively, if all systems which should be using the created keyring have at least apt version >= 1.4 installed, you can use the ASCII armored format with the "asc" extension instead which can be created with gpg --armor --export.

To check the file format, run file /etc/apt/trusted.gpg.d/company-keys.gpg If it says "GPG key public ring" then I would expect it to work and I can't explain the problem you're seeing.

If it says "GPG keybox database" then the problem is the file format. You can convert it with this command (thanks to @Wildcard for including this in his answer):

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/company-keys.gpg --export > /etc/apt/trusted.gpg.d/company-keys.fixed.gpg

If you see this problem repeatedly then you may wish to check how you're installing your key to /etc/apt/trusted.gpg.d/. I had a problem where attempting to list the contents of the keyring by running gpg --keyring /etc/apt/trusted.gpg.d/mine.gpg was causing the file to be created as an unsupported keybox file. Subsequently adding the key to that keyring didn't allow the key to be used.

Also worth noting that there's apparently no reason to use apt-key add. From the man page:

Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.

So if you're using apt-key add you could consider copying the file directly instead.

Answer 2

You can use gpg's --dearmor option to convert ASCII-armored keys, the ones rejected by apt in trusted.gpg.d to the binary format, which is what apt expects.

gpg --dearmor keyfile

Answer 3

tl; dr: Mark's answer is right. You can convert the keybox to a keyring by using:

gpg --no-default-keyring --keyring ./the-keybox-file.gpg --export > /etc/apt/trusted.gpg.d/this-keyring-will-actually-work.gpg

---

(More detailed description of what I ran into and how I resolved it:)

I encountered the same scenario in trying to follow a modified version of the instructions for fluentd installation so that I wouldn't have to run apt-key on any server. I worked out how to solve it; here are my notes:

Instructions I was reading: https://docs.fluentd.org/installation/install-by-deb

The script they ask you to run includes the command:

curl https://packages.treasuredata.com/GPG-KEY-td-agent | apt-key add -

But I wanted to convert the key to a keyring so I could just place it in a directory rather than running a command on each server.

I used some notes I wrote a while back for something similar:

• https://unix.stackexchange.com/q/467639/135943

That's when I ran into the problem you illustrated here.

Here is the full solution I used:

# head -n 2 /etc/os-release
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
# ls
GPG-KEY-td-agent
# file GPG-KEY-td-agent
GPG-KEY-td-agent: PGP public key block Public-Key (old)
# gpg --no-default-keyring --keyring ./tempfile.gpg --import ./GPG-KEY-td-agent
gpg: keybox './tempfile.gpg' created
gpg: key 901F9177AB97ACBE: public key "Treasure Data, Inc (Treasure Agent Official Signing key) <support@treasure-data.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg --no-default-keyring --keyring ./tempfile.gpg --export > td-agent-keyring.gpg
# file *
GPG-KEY-td-agent:     PGP public key block Public-Key (old)
td-agent-keyring.gpg: GPG key public ring, created Tue Dec 27 08:18:20 2016
tempfile.gpg:         GPG keybox database version 1, created-at Sat Jul 20 02:36:45 2019, last-maintained Sat Jul 20 02:36:45 2019
tempfile.gpg~:        GPG keybox database version 1, created-at Sat Jul 20 02:36:45 2019, last-maintained Sat Jul 20 02:36:45 2019
# mv td-agent-keyring.gpg /etc/apt/trusted.gpg.d/
#