Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), contrary to apt-key deprecation notice

[ukpagrace]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

Information is incorrect

Description

The Docker installation instructions for Ubuntu currently store the GPG key in the deprecated /etc/apt/keyrings/ directory, which results in the following warning when running apt-get update:

Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

Proposed Fix:
The installation guide should be updated to use /usr/share/keyrings/ instead of /etc/apt/keyrings/, following best practices for managing repository keys.

Current Documentation (Deprecated Method)

sudo apt-get update
sudo apt-get install -y ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Location

https://docs.docker.com/engine/install/ubuntu/

Suggestion

Recommended Fix (Using /usr/share/keyrings/)

sudo apt-get update
sudo apt-get install -y ca-certificates curl gpg
sudo install -m 0755 -d /usr/share/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

This change aligns with APT's new key management best practices and prevents the warning message from appearing.

Expected Outcome:

• No warning about trusted.gpg when running apt-get update.
• Keyring storage follows the recommended /usr/share/keyrings/ location for security and maintainability.

Would appreciate your feedback on updating the documentation accordingly. 🚀

[thaJeztah]

Hm; this looks related to;

• Update to use "/etc/apt/keyrings" per APT maintainers recommendations #14813

Quoting that PR's description, which was done after conferring with Debian maintainers (the contributor is a Debian maintainer as well);

See https://tracker.debian.org/news/1305679/accepted-apt-240-source-into-unstable/:

* Install an empty /etc/apt/keyrings directory.
  This directory is intended to provide an alternative to
  /usr/share/keyrings for placing keys used with signed-by.

See also https://wiki.debian.org/DebianRepository/UseThirdParty?action=diff&rev2=47&rev1=46 (which was edited following a discussion with the APT maintainers about the expected usage):

If future updates to the key will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead.

cc @tianon

[tianon]

Yeah, if you're seeing this warning, something's wrong on your system. Do you have a simple reproducer?

Here's what I get when I try to reproduce using the instructions from https://docs.docker.com/engine/install/ubuntu/ (lots of "setup" output removed for brevity):

$ docker run -it --rm --pull=always ubuntu:24.04
24.04: Pulling from library/ubuntu
Digest: sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782
Status: Image is up to date for ubuntu:24.04
root@e5192b2921cd:/# apt-get update
...
root@e5192b2921cd:/# apt-get install ca-certificates curl
...
root@e5192b2921cd:/# install -m 0755 -d /etc/apt/keyrings
root@e5192b2921cd:/# curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
root@e5192b2921cd:/# chmod a+r /etc/apt/keyrings/docker.asc
root@e5192b2921cd:/# echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  tee /etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu   noble stable
root@e5192b2921cd:/# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Get:5 https://download.docker.com/linux/ubuntu noble InRelease [48.8 kB]
Get:6 https://download.docker.com/linux/ubuntu noble/stable amd64 Packages [21.5 kB]
Fetched 70.3 kB in 0s (173 kB/s)    
Reading package lists... Done
root@e5192b2921cd:/# 

(as you can see, no warnings or errors)

[ukpagrace]

@tianon sorry for the late reply, I am running it on Ubuntu 24.04.1 LTS

Kernel: Linux 6.8.0-52-generic
Architecture: x86-64

[tianon]

That's useful data, but doesn't give us what we need to actually reproduce:

Yeah, if you're seeing this warning, something's wrong on your system. Do you have a simple reproducer?

My guess is you've got some leftover configuration from something else (maybe a previous install that didn't use /etc/apt/keyrings?) and that's what's tripping this warning.

(In my example reproducer above, it's also Ubuntu 24.04, and you can see there's no warnings from apt-get update.)