[Ubuntu] Key is stored in legacy trusted.gpg keyring (apt warning)

[gander]

On Ubuntu, I am getting such an error from APT

W: http://ppa.launchpad.net/bit-team/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

[aryoda]

Thanks for your report. Could please describe the steps to reproduce this problem on a fresh Ubuntu 22.04 so that I can look into this on a Virtual Machine (VM)?

Beyond that I am not quite sure if this is a Back In Time problem at all, for a possible solution see eg.:

https://askubuntu.com/questions/1403556/key-is-stored-in-legacy-trusted-gpg-keyring-after-ubuntu-22-04-update

Edit: Did you do a fresh installation of U22.04 or a migration from a previous version with an existing keyring?

[freiheitsnetz]

I agree with @aryoda : This sounds exactly like the changes which where done in apt and is not a problem of Back In Time.
There are many threads on askubuntu on this issue and you can follow the guidelines given in https://askubuntu.com/questions/1398344/apt-key-deprecation-warning-when-updating-system to fix it.

[gander]

I was sure it was something with this repository, because I installed this program on a fresh installation of Linux Mint 21 (based on Ubuntu 22.04), and only in this repository I have this deprecation

[gander]

I corrected these settings in file bit-team-stable-jammy.list as it was in the article.

Before:

deb http://ppa.launchpad.net/bit-team/stable/ubuntu jammy main

After:

deb [arch=amd64 signed-by=/usr/share/keyrings/launchpad.gpg] http://ppa.launchpad.net/bit-team/stable/ubuntu jammy main

---

However, this does not fix the problem as this file was created during the installation of the application.

[aryoda]

Could you please share your sudo apt-key list output here? These keys must be migrated to a new keyring too (just changing the key reference in the *.list file does not change much...

And: Which installation steps (instructions) did you follow to install BiT? It look like you have installed from launchpad.net (https://launchpad.net/~bit-team/+archive/ubuntu/stable)...

[gander]

I have already fixed this problem by following these instructions. I am no longer seeing these warnings.

As already mentioned, I use Linux Mint, and here I have a Software Manager (mintinstall) with the package backintime-qt available.

Package: backintime-qt                   
Version: 1.3.2~jammy
State: installed
Automatically installed: no
Priority: extra
Section: utils
Maintainer: BIT Team <bit-team@lists.launchpad.net>
Architecture: all
Uncompressed Size: 418 k
Depends: x11-utils, libnotify-bin, python3-pyqt5, python3-dbus.mainloop.pyqt5, policykit-1, backintime-common (>= 1.3.2~jammy~), python3:any (>= 3.3~)
Recommends: python3-secretstorage
Suggests: meld | kompare
Conflicts: backintime-gnome (< 1.3.2~jammy~), backintime-kde (< 1.3.2~jammy~), backintime-kde4 (< 1.3.2~jammy~), backintime-notify (< 1.3.2~jammy~),
           backintime-qt4 (< 1.3.2~jammy~)
Replaces: backintime-gnome (< 1.3.2~jammy~), backintime-kde (< 1.3.2~jammy~), backintime-kde4 (< 1.3.2~jammy~), backintime-notify (< 1.3.2~jammy~),
          backintime-qt4 (< 1.3.2~jammy~)
Description: Simple backup system
 This is a Qt5 GUI frontend for backintime-common.

Package: backintime-common               
Version: 1.3.2~jammy
State: installed
Automatically installed: yes
Priority: extra
Section: utils
Maintainer: BIT Team <bit-team@lists.launchpad.net>
Architecture: all
Uncompressed Size: 1366 k
Depends: rsync, cron-daemon, openssh-client, python3-keyring, python3-dbus, python3:any (>= 3.3~)
Recommends: sshfs, encfs
Conflicts: backintime
Replaces: backintime
Description: Simple backup system (common)
 This package contains non GUI files used by different GUI fontends.

[emtiu]

Okay, so If I understand correctly, we can close this issue, because it wasn't backintime's fault. Do we need to write a README/FAQ entry about this?

[gander]

I do not know. If this is a problem with Launchpad, you should report it there. I don't know how to configure applications on Launchpad, so it may also be an outdated configuration in your project.

[aryoda]

I think we should not (yet) write a FAQ so far since

• the exact reason is still not reproducible without the exact installation steps (the existence of the bit-team-stable-jammy.list indicates that a 3rd-party repo (launchpad?) was added before using the Mint Software Manager for the installation but this first step is neither confirmed nor dismissed by the OP so far)
• a solution would require to set up a VM with Mint 21 and document the steps to solve this
• there is only one user reporting this so far.
• the OP has linked a general description how to solve this (THX @gander)

[gander]

Do you know geocaching? It reminds me a bit of the situation in this game. People have a problem with the cache, but instead of reporting that it is missing or damaged, they do nothing. The owner doesn't know there's a problem because no one is reporting it. And here is a similar situation. There was one who reported, but you find it is an isolated incident.

[aryoda]

I understand your concerns and we are spending much of our private spare time to do the best so please bare with us if we arbitrate issues to prioritize our limited resources.

[gander]

Ok I understand. I forgot this is a private project. I will not get mad anymore. I encourage you to mention this in the README.

[gander]

I will try to do such a test on the VM, and let you know, but it's in a separate thread.

[aryoda]

OK, thank you very much!

It is important to write down the exact steps to make this problem reproducible so that we can find the reason in our code (or find out that it is a downstream problem eg. in packaging BiT).

[aryoda]

@gander I get a clearer picture now about the steps to reproduce the warning (read this for details). It is not a BiT software bug itself but a documentation issue IMHO (and this affects ALL non-official ppa packages for Debian I guess).

Details

Our README describes how to install the latest stable release from the Ubuntu PPA (= from launchpad.net):

https://github.com/bit-team/backintime/blob/master/README.md#ubuntu-ppa

sudo add-apt-repository ppa:bit-team/stable

This command throws the warning on some newer distros like Mint 21:

$ sudo add-apt-repository ppa:bit-team/stable
You are about to add the following PPA:
 This repository contains stable releases for Back In Time.
 More info: https://launchpad.net/~bit-team/+archive/ubuntu/stable
Press Enter to continue or Ctrl+C to cancel

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Executing: /tmp/apt-key-gpghome.caIArshL3p/gpg.1.sh --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys 589EEDCD16567B0E6D23C3144B6071B7D6FDC9D0
gpg: key 4B6071B7D6FDC9D0: public key "Launchpad Stable repository" imported
gpg: Total number processed: 1
gpg:               imported: 1

Since add-apt-repository uses the deprecated apt-key internally the warning is thrown.

Next steps

I suggest to

1. [DONE] amend the installation instructions on our README to mention the warning and that it may be ignored for now (no need to fix).
2. [OPEN] find and check the official installation instructions how to install the gpg key at the new location
   (esp. check that it always work in every distro, even old ones - this is quite much work with low prio ATM).

The recommended new installation steps (instead of apt-key) are unclear to me until I find an official recommendation for that (help welcome).

@emtiu I will send a PR for 1. (amend README). We could open a new separate issue for 2. or leave this issue open...

[aryoda]

Internal note about official documentations how to install keys:

• https://wiki.debian.org/DebianRepository/UseThirdParty
  Issue: In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. It SHOULD be created with permissions 0755 if it is needed and does not already exist.

[aryoda]

Note: After installation with apt-key (as documented in our README) also each apt-update shows the warning at the end:

W: http://ppa.launchpad.net/bit-team/stable/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

The referenced DEPRECATION section in man akt-key 8 says:

DEPRECATION
Except for using apt-key del in maintainer scripts, the use of apt-key is deprecated. This section shows how to replace
existing use of apt-key.

   If your existing use of apt-key add looks like this:

   wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -

   Then you can directly replace this with (though note the recommendation below):

   wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc

   Make sure to use the "asc" extension for ASCII armored keys and the "gpg" extension for the binary OpenPGP format (also
   known as "GPG key public ring"). The binary OpenPGP format works for all apt versions, while the ASCII armored format
   works for apt version >= 1.4.

   Recommended: Instead of placing keys into the /etc/apt/trusted.gpg.d directory, you can place them anywhere on your
   filesystem by using the Signed-By option in your sources.list and pointing to the filename of the key. See
   sources.list(5) for details. Since APT 2.4, /etc/apt/keyrings is provided as the recommended location for keys not
   managed by packages. When using a deb822-style sources.list, and with apt version >= 2.4, the Signed-By option can also
   be used to include the full ASCII armored keyring directly in the sources.list without an additional file.

[dkebler]

This is not a backintime issue. For whatever reasons canonical has deprecated apt-add and apt-key in jammy with no replacements. I gave up and wrote my own script to easily add a ppa from launchpad getting the key and putting it in the "new" right place. Its shared at this gist. I just wrote it so no guarantees. It's written for bash and is not posix. It uses gpg so that has be installed. It doesn't access the launchpad api directly to get the key id it actually parses the error when the key is missing during apt update to get the key id (totally a kludge but I couldn't find any easy docs on using the api).

It could be modified to install any repo/key not just a ppa.

https://gist.github.com/dkebler/877ee12b00088898e3f3c30b42cb9ed7

[gander]

Has anything changed since the last comment?

[buhtz]

Would it make sense to open a bug report on Ubuntu itself because it seems highly ubuntu related?

[aryoda]

Opening (or bumping an existing) issue at Ubuntu should help to gain attention here.

I really would like to dig deeper but currently my TODO list more than full.

Since this issue most likely does not require a change in our source code it would be great if someone would volunteer to help us finding (and documenting) a solution!

[barzine]

There is probably a better way to do it, but this is how I have added the key and installed backintime from launchpad on my ubuntu 22.04 (and you may want to use a user keyring than a system one).
I basically followed and adapted the steps detailed at https://itsfoss.com/apt-key-deprecated/.

Before following the steps below, prepare all the needed and required backup!!

1)Get the link from https://launchpad.net/~bit-team/+archive/ubuntu/stable under Technical details about this PPA > get the link to the Signing Key

and download to the trusted keyring

curl -sS "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x589eedcd16567b0e6d23c3144b6071b7d6fdc9d0" |  \ 
gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/bit_team_pub.gpg

2)Check that the fingerprint is the same with: gpg --show-keys /etc/apt/trusted.gpg.d/bit_team_pub.gpg

3)Add the repo to your sources.list

echo  "deb [signed-by=/etc/apt/trusted.gpg.d/bit_team_pub.gpg] https://ppa.launchpadcontent.net/bit-team/stable/ubuntu jammy main" | sudo tee /etc/apt/sources.list.d/bitteam.list

4)Finally, install / update backintime:

sudo apt update
sudo apt install backintime-qt

[buhtz]

Voting to close because not relevant to upstream. Does someone have something to add?

[gander]

The @barzine solution makes the same effect as:

sudo add-apt-repository ppa:bit-team/stable

And I don't have this error anymore.

I think it can be closed.