Skip to main content

Install PostgreSQL (PGDG) in Linux with Key is stored in legacy trusted.gpg keyring

·372 words·2 mins
Linux PostgreSQL gpg
oon arfiandwi
Author
oon arfiandwi
keep it simple, s!
Install PostgreSQL (PGDG) in Linux with Key is stored in legacy trusted.gpg keyring

After receiving multiple warnings regarding:

Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

I found myself growing bored while installing PostgreSQL, my favorite DBMS. It seems that the documentation maintainer at PostgreSQL should consider revamping the installation page for PostgreSQL on Linux. I’ve tried both Debian1 in Debian 12/Bookworm and Ubuntu2 in Ubuntu 22.04 LTS/Jammy, and encountered the same warning regarding the deprecation of apt-key.

Here’s the main issue:

$ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Alright, let’s start with a list of keys:

$ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2011-10-13 [SC]
      B97B 0AFC AA1A 47F0 44F2  44A0 7FCC 7D46 ACCC 4CF8
uid           [ unknown] PostgreSQL Debian Repository
...

As we can see from the key URL https://www.postgresql.org/media/keys/ACCC4CF8.asc, the key value ACCC4CF8 is equal to the last 8 characters of the pub code in the output of apt-key list. The warning from apt-key indicates that keyring files should be in trusted.gpg.d, so let’s search for it.

$ locate trusted.gpg.d
/etc/apt/trusted.gpg.d
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
...

Essentially, we need to convert ACCC4CF8.asc to a gpg file in the directory /etc/apt/trusted.gpg.d. Let’s try a similar command as before, combined with gpg --dearmour which will convert asc to gpg file.

$ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/postgresql-debian-repo.gpg

Alternatively, we can export the key 3 which is already saved in /etc/apt/trusted.gpg to /etc/apt/trusted.gpg.d/postgresql-debian-repository.gpg. We choose a different name because we want to compare those keys.

$ apt-key export ACCC4CF8 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/postgresql-debian-repository.gpg

I don’t know why, but the export mechanism gave us duplicate keys. 😆

$ gpg --show-keys /etc/apt/trusted.gpg.d/postgresql-debian-repo.gpg 
pub   rsa4096 2011-10-13 [SC]
      B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
uid                      PostgreSQL Debian Repository

$ gpg --show-keys /etc/apt/trusted.gpg.d/postgresql-debian-repository.gpg 
pub   rsa4096 2011-10-13 [SC]
      B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
uid                      PostgreSQL Debian Repository

pub   rsa4096 2011-10-13 [SC]
      B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
uid                      PostgreSQL Debian Repository

After solving the problem so that the apt process no longer shows the warning, delete the key:

$ sudo apt-key del ACCC4CF8
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Yeah, a bit complicated, but finally it’s done. No more warning, and everything’s cleaned up. 😂