Debian

How to fix “Key is stored in legacy trusted.gpg keyring”

https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring

Firstly it is not an error. It is just a warning message. A warning does not stop the procedure. You can continue upgrading your system even if you see this warning message during an update.

If you don’t like seeing the warning message, you can take some manual steps to get rid of it.

The proper way to fix this warning is to import the key.

First, list all the GPG keys added to your system.

apt-key list

This will show a huge list of keys stored in your system. What you have to do here is to look for the keys associated with the warning message.

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-10-05 [SC]
      72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
uid           [ unknown] Yarn Packaging <[email protected]>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2019-01-02 [S] [expires: 2026-01-23]
sub   rsa4096 2019-01-11 [S] [expires: 2026-01-23]

pub   rsa4096 2014-06-13 [SC]
      9FD3 B784 BC1C 6FC3 1A8A  0A1C 1655 A0AB 6857 6280
uid           [ unknown] NodeSource <[email protected]>
sub   rsa4096 2014-06-13 [E]

/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc
------------------------------------------------------------
pub   rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
      B8B8 0B5B 623E AB6A D877  5C45 B7C5 D7D6 3509 47F8
uid           [ unknown] Debian Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub   rsa4096 2023-01-21 [S] [expires: 2031-01-19]

/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg
------------------------------------------------------------
pub   rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
      B8B8 0B5B 623E AB6A D877  5C45 B7C5 D7D6 3509 47F8
uid           [ unknown] Debian Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub   rsa4096 2023-01-21 [S] [expires: 2031-01-19]

/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.asc
---------------------------------------------------------------------
pub   rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
      05AB 9034 0C0C 5E79 7F44  A8C8 254C F3B5 AEC0 A8F0
uid           [ unknown] Debian Security Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub   rsa4096 2023-01-21 [S] [expires: 2031-01-19]

/etc/apt/trusted.gpg.d/debian-archive-bookworm-security-automatic.gpg
---------------------------------------------------------------------
pub   rsa4096 2023-01-21 [SC] [expires: 2031-01-19]
      05AB 9034 0C0C 5E79 7F44  A8C8 254C F3B5 AEC0 A8F0
uid           [ unknown] Debian Security Archive Automatic Signing Key (12/bookworm) <[email protected]>
sub   rsa4096 2023-01-21 [S] [expires: 2031-01-19]

/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc
---------------------------------------------------------
pub   ed25519 2023-01-23 [SC] [expires: 2031-01-21]
      4D64 FEC1 19C2 0290 67D6  E791 F8D2 585B 8783 D481
uid           [ unknown] Debian Stable Release Key (12/bookworm) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.gpg
---------------------------------------------------------
pub   ed25519 2023-01-23 [SC] [expires: 2031-01-21]
      4D64 FEC1 19C2 0290 67D6  E791 F8D2 585B 8783 D481
uid           [ unknown] Debian Stable Release Key (12/bookworm) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.asc
------------------------------------------------------------
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      1F89 983E 0081 FDE0 18F3  CC96 73A4 F27B 8DD4 7936
uid           [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.asc
---------------------------------------------------------------------
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
      AC53 0D52 0F2F 3269 F5E9  8313 A484 4904 4AAD 5C5D
uid           [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <[email protected]>
sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]

/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.asc
---------------------------------------------------------
pub   rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
      A428 5295 FC7B 1A81 6000  62A9 605C 66F0 0D6C 9793
uid           [ unknown] Debian Stable Release Key (11/bullseye) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.asc
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <[email protected]>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.asc
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <[email protected]>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.asc
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <[email protected]>

How do you do that? Read the message carefully.

https://dl.yarnpkg.com/debian/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring

In my case, the repository has keywords like yarnpkg. It is shown at the top of the apt-key list output. You may have to scroll a bit in your case.

You should put the last eight characters (excluding the space) under the line after the pub.

So from the line “72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310”, I’ll take the last eight characters “86E5 0310”, remove the space and then use it to import the GPG key in its dedicated file under the /etc/apt/trusted.gpg.d directory:

apt-key export 86E50310 | gpg --dearmour -o /etc/apt/trusted.gpg.d/yarn.gpg

I created a new file yarn.gpg here, in case you didn’t notice it. I named it yarn.gpg because it is associated with the Yarn application I installed earlier. The filename does not matter, but it’s suitable for identification.

If the command runs successfully, you won’t see any message. You can verify that by checking if the newly created gpg file exists or not.

Run the update again, and now you should not see the warning message anymore.