How to fix “Key is stored in legacy trusted.gpg keyring”
https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring
Firstly it is not an error. It is just a warning message. A warning does not stop the procedure. You can continue upgrading your system even if you see this warning message during an update.
If you don’t like seeing the warning message, you can take some manual steps to get rid of it.
The proper way to fix this warning is to import the key.
First, list all the GPG keys added to your system.
apt-key list
This will show a huge list of keys stored in your system. What you have to do here is to look for the keys associated with the warning message.
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2016-10-05 [SC]
72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
uid [ unknown] Yarn Packaging <[email protected]>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub rsa4096 2019-01-11 [S] [expires: 2026-01-23]
pub rsa4096 2014-06-13 [SC]
9FD3 B784 BC1C 6FC3 1A8A 0A1C 1655 A0AB 6857 6280
uid [ unknown] NodeSource <[email protected]>
sub rsa4096 2014-06-13 [E]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc
------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8
uid [ unknown] Debian Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
B8B8 0B5B 623E AB6A D877 5C45 B7C5 D7D6 3509 47F8
uid [ unknown] Debian Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.asc
---------------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
05AB 9034 0C0C 5E79 7F44 A8C8 254C F3B5 AEC0 A8F0
uid [ unknown] Debian Security Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg
---------------------------------------------------------------------
pub rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
05AB 9034 0C0C 5E79 7F44 A8C8 254C F3B5 AEC0 A8F0
uid [ unknown] Debian Security Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub rsa4096 2023-01-21 [S] [expires: 2031-01-19]
/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
---------------------------------------------------------
pub ed25519 2023-01-23 [SC] [expires: 2031-01-21]
4D64 FEC1 19C2 0290 67D6 E791 F8D2 585B 8783 D481
uid [ unknown] Debian Stable Release Key (12/bookworm) <[email protected]>
/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg
---------------------------------------------------------
pub ed25519 2023-01-23 [SC] [expires: 2031-01-21]
4D64 FEC1 19C2 0290 67D6 E791 F8D2 585B 8783 D481
uid [ unknown] Debian Stable Release Key (12/bookworm) <[email protected]>
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.asc
------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
1F89 983E 0081 FDE0 18F3 CC96 73A4 F27B 8DD4 7936
uid [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub rsa4096 2021-01-17 [S] [expires: 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.asc
---------------------------------------------------------------------
pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
AC53 0D52 0F2F 3269 F5E9 8313 A484 4904 4AAD 5C5D
uid [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub rsa4096 2021-01-17 [S] [expires: 2029-01-15]
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.asc
---------------------------------------------------------
pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
A428 5295 FC7B 1A81 6000 62A9 605C 66F0 0D6C 9793
uid [ unknown] Debian Stable Release Key (11/bullseye) <[email protected]>
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.asc
----------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
uid [ unknown] Debian Archive Automatic Signing Key (10/buster) <[email protected]>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.asc
-------------------------------------------------------------------
pub rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
uid [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>
sub rsa4096 2019-04-14 [S] [expires: 2027-04-12]
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.asc
-------------------------------------------------------
pub rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
uid [ unknown] Debian Stable Release Key (10/buster) <[email protected]>
How do you do that? Read the message carefully.
https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring
In my case, the repository has keywords like yarnpkg. It is shown at the top of the apt-key list output. You may have to scroll a bit in your case.
You should put the last eight characters (excluding the space) under the line after the pub.
So from the line “72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310”, I’ll take the last eight characters “86E5 0310”, remove the space and then use it to import the GPG key in its dedicated file under the /etc/apt/trusted.gpg.d directory:
apt-key export 86E50310 | gpg --dearmour -o /etc/apt/trusted.gpg.d/yarn.gpg
I created a new file yarn.gpg here, in case you didn’t notice it. I named it yarn.gpg because it is associated with the Yarn application I installed earlier. The filename does not matter, but it’s suitable for identification.
If the command runs successfully, you won’t see any message. You can verify that by checking if the newly created gpg file exists or not.
Run the update again, and now you should not see the warning message anymore.