Fix Key Stored in Legacy Trusted Gpg Keyring

calendar Mar 31, 2025 · 2 min read · apt gpg keyring legacy

Overview

In an effort to balance power efficiency with my tendency to hoard old hardware, I decided to move my overpowered Pi-hole setup from a Mac Mini to a Raspberry Pi 2. (Yes, the Pi 2! A true relic from the past, but still kicking.)

Everything was going smoothly — static IP, hostname set, network configured — until I ran the inevitable:

1apt update
bash
1Hit:1 http://raspbian.raspberrypi.com/raspbian bookworm InRelease
2Hit:2 http://archive.raspberrypi.com/debian bookworm InRelease
3Reading package lists... Done
4Building dependency tree... Done
5Reading state information... Done
690 packages can be upgraded. Run 'apt list --upgradable' to see them.
7W: http://raspbian.raspberrypi.com/raspbian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
bash

Weird, it's a brand new install, but anyway, let's fix it.

1apt-key list | grep -A4 "trusted.gpg$"
bash

You'll get something like this:

1Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
2/etc/apt/trusted.gpg
3--------------------
4pub   rsa2048 2012-04-01 [SC]
5      A0DA 38D0 D76E 8B5D 6388  7281 9165 938D 90FD DD2E
6uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>
bash

That long hex string at the bottom? That's our culprit. Grab the last 8 characters (e.g., 90FDDD2E).

1apt-key export 90FDDD2E | sudo gpg --dearmor -o /tmp/raspberrypi-os.gpg
bash

If you're getting a warning about apt-key being deprecated — yes, we know. Thanks for the reminder, apt.

Step 3: Verify the Exported Key

1file /tmp/raspberrypi-os.gpg
bash

You should see something like:

1/tmp/raspberrypi-os.gpg: PGP/GPG key public ring (v4) created Sun Jun 17 15:49:51 2012 RSA (Encrypt or Sign) 2048 bits MPI=0xabc2a41a70625f9f...
bash

If this checks out, we’re good to move on.

1apt-key del 90FDDD2E
bash
1mv /tmp/raspberrypi-os.gpg /etc/apt/trusted.gpg.d/
bash

Time to see if all this work actually made a difference.

1apt update
bash

No errors? No legacy key warnings? Success!

Now, for the real prize:

1apt upgrade -y
bash

Watch those packages roll in, knowing you’ve successfully outwitted a deprecated key storage issue on a nearly decade-old Raspberry Pi.

This was one of those “why is this happening on a clean install?” moments that make homelabbing so much fun (and sometimes maddening). But at least now, my Pi-hole setup is running on a true low-power device, and I got a free lesson in Debian’s ever-evolving key management system.

Hope this helps someone else avoid the same head-scratching moment!

Posts in this series