Use trusted.gpg.d instead of apt-key

[he7d3r]

Problem description

One of the steps at https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository is to add Docker’s official GPG key like this:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

However, the last part generates the following warning (at least on Ubuntu 20.10):

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Maybe it is time to use trusted.gpg.d as suggested by the warning?

[FelipeGangrel]

Same here

[noahsbwilliams]

I'm experiencing the same issue, with the additional problem that when I try to manually add the gpg file to /etc/apt/trusted.gpg.d/docker.gpg and then run sudo apt update I get this error:

The key(s) in the keyring /etc/apt/trusted.gpg.d/docker.gpg are ignored as the file has an unsupported filetype.

...with of course loads of other errors from not having a valid key.

[devs-saifur-rahman]

This worked for me

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/docker-apt-key.gpg add

Also, if you are using groovy , you should try focal instead.

[mcaci]

Hi @devs-saifur-rahman, thanks for this tip. I was stuck in the same point and it helped me to progress with the install. This may be a good update to be done in the docs. EDIT: I will try to make some time to check if I can do it and submit it.

[denis-roy]

apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04

Although adding keys directly to /etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to /usr/share/keyrings and referenced with the signed-by option in the source.list.d entry.

ADD A KEY

# Adding an ASCII Armored key (.asc key)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \
/dev/null

# Or if you prefer a one-liner
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

# Breakdown of each part
#
# curl             downloads the key 
# gpg --dearmor    creates a binary .gpg because /usr/share/keyrings cannot take .asc keys
# sudo tee         because we get permission denied if we try redirect the output of a sudo command
# /dev/null        we don't need to see the dearmored keyring on the console

ADD REPOSITORY AS A SOURCE IN /etc/apt/sources.list.d/

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ 
sudo tee /etc/apt/sources.list.d/docker-ce.list > \
/dev/null


# Of if you prefer a one-liner
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

With the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)

[vieee]

@denis-roy, are these commands same for Debian distribution as well..? [just by replacing ubuntu => debian]
Facing the same issue, while trying to install docker

sorry if it sounds too stupid, I'm new to Docker.

apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04

Although adding keys directly to /etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to /usr/share/keyrings and referenced with the signed-by option in the source.list.d entry.

ADD A KEY

# Adding an ASCII Armored key (.asc key)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \
/dev/null

# Or if you prefer a one-liner
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

# Breakdown of each part
#
# curl             downloads the key 
# gpg --dearmor    creates a binary .gpg because /usr/share/keyrings cannot take .asc keys
# sudo tee         because we get permission denied if we try redirect the output of a sudo command
# /dev/null        we don't need to see the dearmored keyring on the console

ADD REPOSITORY AS A SOURCE IN /etc/apt/sources.list.d/

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ 
sudo tee /etc/apt/sources.list.d/docker-ce.list > \
/dev/null


# Of if you prefer a one-liner
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

With the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)

[denis-roy]

@vieee, the procedure is the same for Debian 9 (Stretch) / Ubuntu 16.04 (Xenial) onward. For more information, refer to PR #11990

Here are the commands you need to execute to install Docker on Debian

⚠️ Make sure you copy paste the commands, we are all prone to typos! :)

INSTALLING DEPENDENCIES

sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent

ADDING THE KEY

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

ADDING THE REPOSITORY

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

UPDATING APT & INSTALLING DOCKER

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

[AkashicSeer]

What group of fools decided to deprecate something without first having a replacement or even a suggested replacement, or EVEN DOCUMENTING THIS HORSESHIT????

[denis-roy]

@AkashicSeer, please remain civil.

Deprecated means you can still use the tool but its usage is discouraged. The way Debian has decided to deal with third-party keys and repositories is well documented in their Wiki.

The apt-key tool will only disappear in an OS version due to be released somewhere in 2022. When this time comes, nobody is forcing you to upgrade to this version of the OS if you want to carry on using apt-key for as long as you wish.

Simply put: Nobody is forcing you to change and if you want to change, there is plenty of time to comply.

Hint: You might want to change. The proposed way is much more secure: It assign a specific key to a specific repository as opposed to now where any package is checked against any key in your keyring.

The group of fools you are referring to is a large body of able open source developers who work mostly without pay to provide the world with a free operating system that anybody, and that includes you, is at complete liberty to use... Or not.

If you feel you can contribute ideas or code towards a better way to manage third-keys and repository, as we say in the open source world: Pull Requests are welcome.

[Pem7x]

To install Docker for Kali 2020.1 debian amd64 run the following:
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

then:

echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

sudo apt-get update

sudo apt-get install docker-ce

It worked for me by Hard coding.

[denis-roy]

@Pema-Sereka, hardcoding amd64 and buster might work for you but will fail for those who try to install Docker on a x86 or armel/armhf distribution of Kali

Evaluating $(dpkg --print-architecture) and $(lsb_release -cs) in the following command ensures a wider coverage :)

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

[Pem7x]

@denis-roy,
Yeah, sure. I had tried all but failed but when I hard coded for Kali debian 2020.1 amd64 it worked. I just was offering a solution to the reported error which was similar to what I had.

[FranklinYu]

@denis-roy Apparently the dependency of GnuPG (gnupg-agent) is unnecessary. You can do this:

curl -fsSL https://download.docker.com/linux/debian/gpg \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.asc > /dev/null

Note the file extension .asc for ASCII-format (“armored” in GnuPG term) key file. Of course the source.list should be updated correspondingly. This is tested on Debian Buster; didn’t test on Ubuntu though.

[slycordinator]

If you're killing the output to stdout that tee generates, then you shouldn't be using tee at all. Also, for user installed packages (not distribution controlled packages), you shouldn't be using /usr/share/.... You should either be using /etc/... or /usr/local/....

Something like:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor > /etc/apt/trusted.gpg.d/docker-ce-archive-keyring.gpg

should do the trick. Fewer fork/execs, fewer redirections, less entropy consumed in the system overall, removed a call for a program that you're "neutering" etc. One should always strive to consume fewer computing resources and this "ancient art" should never be disregarded, despite computers being "fast enough".

That's unlikely to work, because sudo has no effect on redirections. The redirection happens in the current shell before sudo is invoked. It will only "work" if the current user already has the right permissions to write to the file. If you need sudo for it, you have to use tee.

$ echo 'whatever' >> root_only/file
-ash: can't create root_only/file: Permission denied
$ sudo echo 'whatever' >> root_only/file
-ash: can't create root_only/file: Permission denied

[jinliming2]

I think the correct way is:

$ sudo touch /etc/apt/trusted.gpg.d/docker.gpg
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/docker.gpg --import -

[denis-roy]

As stated earlier, the proposal comes from the Debian Wiki, not from me :)

@FranklinYu - They go with binary signatures (.gpg) instead of ASCII Armored ones (.asc) to avoid some error vectors and to maintain interoperability with SecureAPT which requires .gpg sigs

@jinliming2 - There are plenty of acceptable ways to deal with this, I just chose to propose the most standard, Debian-compliant way I could find

For further discussions, visit PR #11990

[Jon-Biz]

@denis-roy

Cutting and pasting your instructions above fail with the same error on Ubuntu 20.10 and a brand new install of Ubuntu 20.04 LTS. Here is my output from 20.04:

jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20210119~20.04.1).
curl is already the newest version (7.68.0-1ubuntu2.4).
apt-transport-https is already the newest version (2.0.4).
gnupg-agent is already the newest version (2.2.19-3ubuntu2.1).
0 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
jon@Ubuntu-Fossa:~/Desktop$ curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null
jon@Ubuntu-Fossa:~/Desktop$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable"| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get update
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease                      
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease              
Ign:4 https://download.docker.com/linux/debian focal InRelease                 
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease            
Get:6 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]      
Hit:7 https://download.sublimetext.com apt/stable/ InRelease                  
Err:8 https://download.docker.com/linux/debian focal Release                  
  404  Not Found [IP: 99.84.233.150 443]
Reading package lists... Done                            
E: The repository 'https://download.docker.com/linux/debian focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get install docker-ce docker-ce-cli containerd.io
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package docker-ce is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'docker-ce' has no installation candidate
E: Unable to locate package docker-ce-cli
E: Unable to locate package containerd.io
E: Couldn't find any package by glob 'containerd.io'
E: Couldn't find any package by regex 'containerd.io'

[denis-roy]

@Jon-Biz From the look of it, you are trying to follow Debian's installation procedure on Ubuntu.

E: The repository 'https://download.docker.com/linux/debian focal Release' does not have a Release file.

There is no release of Debian named focal. Debian release names (buster, sid, etc) and Ubuntu release names (groovy, focal, etc) don't mix :)

Following the installation procedure for Ubuntu will undoublty yield the desired results:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-ce-archive-keyring.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

or you could very well just edit the source directly:

nano /etc/apt/sources.list.d/docker-ce.list

to replace debian by ubuntu, save, close and then run apt update again

[Jon-Biz]

Thank you for your reply. I have resolved my problems.

Fwiw, attempting to add the docker-ce-archive-keyring.gpg to my keyrings directory failed with a 'Permission denied' error. I was able to resolve this by sudo ing gpg:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-ce-archive-keyring.gpg

[FranklinYu]

They go with binary signatures (.gpg) instead of ASCII Armored ones (.asc) to avoid some error vectors and to maintain interoperability with SecureAPT which requires .gpg sigs

@denis-roy Would you mind sharing more about this? The only place I found about the requirement is a very brief note at DebianRepository/UseThirdParty; I can’t find the relevant description at the SecureApt page.

By the way, I tried the armored file on my virtual machine (Debian Buster), and APT didn’t complain. Is SecureApt opt-in?

[denis-roy]

@FranklinYu, unfortunately I estimate my understanding to be limited to a little more than what is mentioned in that DebianRepository/UseThirdParty Wiki and wouldn't want to mislead you. You might want to open a discussion or take part in an already open one on that specific Debian Wiki though :)

[cm038]

@vieee, the procedure is the same for Debian 9 (Stretch) / Ubuntu 16.04 (Xenial) onward. For more information, refer to PR #11990

Here are the commands you need to execute to install Docker on Debian

Make sure you copy paste the commands, we are all prone to typos! :)

INSTALLING DEPENDENCIES

sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent

ADDING THE KEY

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

ADDING THE REPOSITORY

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

UPDATING APT & INSTALLING DOCKER

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

──(root💀localhost)-[~]
└─# sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.

[denis-roy]

──(rootskulllocalhost)-[~]
└─# sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.

 @cm038, kali-rolling is not a valid debian release name ;)

Kali's rolling release is most likely based on Debian Testing which release names are buster or bullseye

[cm038]

──(rootskulllocalhost)-[~]
└─# sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.
E: Conflicting values set for option Signed-By regarding source https://download.docker.com/linux/debian/ kali-rolling: /usr/share/keyrings/docker-ce-archive-keyring.gpg !=
E: The list of sources could not be read.

 @cm038, kali-rolling is not a valid debian release name ;)

Kali's rolling release is most likely based on Debian Testing which release names are buster or bullseye

---

Thanks for your comment. There is an error somewhere but unfortunately I cannot get it resolved. I am using termux on android 11 and when entering apt-get update i get the following errors;

─(root💀localhost)-[~]
└─# apt-get update Hit:1 https://download.docker.com/linux/ubuntu xenial InRelease
Ign:2 https://download.docker.com/linux/ubuntu kali-rolling InRelease
Ign:3 https://download.docker.com/linux/debian kali-rolling InRelease
Hit:4 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:5 https://download.docker.com/linux/ubuntu artful InRelease
Hit:6 https://download.docker.com/linux/debian buster InRelease
Err:7 https://download.docker.com/linux/ubuntu kali-rolling Release
404 Not Found [IP: 65.9.84.50 443]
Err:9 https://download.docker.com/linux/debian kali-rolling Release
404 Not Found [IP: 65.9.84.50 443]
Hit:8 https://ftp2.nluug.nl/os/Linux/distr/kali kali-rolling InRelease
Reading package lists... Done
E: The repository 'https://download.docker.com/linux/ubuntu kali-rolling Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://download.docker.com/linux/debian kali-rolling Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Target Packages (stable/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/docker-ce.list:1
W: Target Translations (stable/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/docker-ce.list:1
W: Target Translations (stable/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:4 and /etc/apt/sources.list.d/docker-ce.list:1

[denis-roy]

@cm038, the first troubleshooting step would be to validate if Docker on Termux/Android is a supported setup? 🤔

[Drmorac]

This work for me, thnxs amigo:

To install Docker for Kali 2020.1 debian amd64 run the following:

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg
--dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg
> /dev/null"

To install Docker for Kali 2020.1 debian amd64 run the following:
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

then:

echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

sudo apt-get update

sudo apt-get install docker-ce

It worked for me by Hard coding.

[xmaster2121]

Hello Friends, i have Ubuntu 21.04, i want download katoolin3
When running

sudo ./install.sh;
there is a warning raised that the apt-key command is depreciated.
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.LfGGzVtUjS/gpg.1.sh -qq --keyserver pool.sks-keyservers.net --recv-keys ED444FF07D8D0BF6
can anyone help me please

[slycordinator]

Hello Friends, i have Ubuntu 21.04, i want download katoolin3
When running

sudo ./install.sh;
there is a warning raised that the apt-key command is depreciated.
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.LfGGzVtUjS/gpg.1.sh -qq --keyserver pool.sks-keyservers.net --recv-keys ED444FF07D8D0BF6
can anyone help me please

That sounds like an issue to raise on the github page for katoolin3, especially since pool.sks-keyservers.net has essentially been disabled/useless for a few months now.

[thaJeztah]

That sounds like an issue to raise on the github page for katoolin3, especially since pool.sks-keyservers.net has essentially been disabled/useless for a few months now.

Yes, this doesn't look related to Docker in any way.

For katoolin3, it looks like there's a PR opened here; LionSec/katoolin#299, but I don't see activity on the repository for the last couple of years, so maybe the projects is no longer maintained (I found a fork that was slightly more up-to-date, but that's been archived as well https://github.com/s-h-3-l-l/katoolin3).

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked