Back to Commands

apt-key

package managementlinux
The apt-key command is one of the most frequently used commands in Linux/Unix-like operating systems. apt-key The apt-key command is used to manage the keys used by apt to authenticate packages. These keys are used to ensure that the packages downloaded by apt are from trusted sources.
See ExamplesView Syntax

Quick Reference

Command Name:

apt-key

Category:

package management

Platform:

linux

Basic Usage:

apt-key [options] [arguments]

Common Use Cases

  • 1

    Repository authentication

    Add authentication keys for third-party software repositories

  • 2

    Key management

    Manage the keys used to verify the authenticity of packages

  • 3

    Security maintenance

    Remove expired or compromised keys from the trusted keyring

  • 4

    Key verification

    List and inspect keys to verify their authenticity and origin

Syntax

apt-key [options] command [arguments]

Options

Option Description
--keyring filename Use the specified keyring file instead of the default
--secret-keyring filename Use the specified secret keyring file
--homedir directory Set the GPG home directory
--readonly Never modify the keyring
--fakeroot Use fakeroot for keyring updates
-v, --version Show the program version
-h, --help Show help summary
-a, --ascii-armor Export keys in ASCII-armored format
--always-trust Skip key validation

Examples

How to Use These Examples

The examples below show common ways to use the apt-key command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

Basic Examples:

List all trusted keys
sudo apt-key list
Add a key from a file
sudo apt-key add keyfile.gpg
Delete a key
sudo apt-key del "3F1EA0C7"
Export a key
sudo apt-key export 3F1EA0C7 > exported_key.gpg
Update the keys from keyserver
sudo apt-key update

Advanced Examples:

Add a key from a keyserver by ID
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3F1EA0C7
Fetch keys from a URL
wget -qO - https://example.com/key.gpg | sudo apt-key add -
Export a key in binary format
sudo apt-key export -a 3F1EA0C7 > exported_key.asc
Add keys with specific keyserver options
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3F1EA0C7
Verify a package with a key
sudo apt-key verify package.deb
Add a key with fingerprint verification
wget -qO - https://example.com/key.gpg | gpg --quiet --no-tty --import - && sudo apt-key add ~/.gnupg/pubring.gpg
Remove all expired keys
sudo apt-key list | grep expired | awk '{print $2}' | xargs -r sudo apt-key del

Try It Yourself

Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

Understanding Syntax

Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

Notes

Command Functions:

The apt-key command provides several subcommands for managing GPG keys:

  • list: List all keys in the keyring
  • add: Add a key file to the keyring
  • del: Remove a key from the keyring
  • export: Export a key from the keyring
  • update: Update keys using the keyring package
  • net-update: Update keys using the network
  • adv: Pass advanced options to gpg
  • finger: Show fingerprints of keys

Key Locations:

APT uses several keyring files to store trusted keys:

  • /etc/apt/trusted.gpg: Main keyring file
  • /etc/apt/trusted.gpg.d/: Directory containing additional keyring files
  • ~/.gnupg/: User's GPG directory (when operating in user mode)

Working with Repositories:

Keys are essential for adding trusted repositories:

  1. First add the repository key: sudo apt-key add repository-key.gpg
  2. Then add the repository: sudo add-apt-repository 'deb http://repo.example.com/ubuntu stable main'
  3. Update package lists: sudo apt update

Key Formats:

  • Binary format: Default GPG key format (.gpg extension)
  • ASCII-armored: Text-based format that can be easily included in emails or web pages (.asc extension)
  • Use -a or --ascii-armor option to export keys in ASCII format

Key Identification:

Keys can be referred to by:

  • Key ID: Last 8 characters of the fingerprint (e.g., 3F1EA0C7)
  • Long Key ID: Last 16 characters of the fingerprint
  • Fingerprint: Full 40-character fingerprint
  • Email address: If the key has an associated email

Keyserver Operations:

The adv subcommand allows advanced operations with keyservers:

  • Receiving keys: apt-key adv --keyserver keyserver.ubuntu.com --recv-keys KEY_ID
  • Refreshing keys: apt-key adv --refresh-keys
  • Searching for keys: apt-key adv --keyserver keyserver.ubuntu.com --search-keys search_term

Security Considerations:

  • Always verify key fingerprints from trusted sources before adding them
  • Avoid adding keys from untrusted sources, as they could compromise your system
  • Regularly update keys with apt-key update to get revocation certificates
  • Consider using HTTPS to download keys when possible
  • Keys added to the system are trusted for all APT operations by all users

Deprecation Notice:

Note that apt-key is deprecated and will eventually be removed:

  • The recommended approach is to place repository keys in /etc/apt/trusted.gpg.d/ with a .gpg extension
  • Or place keys in /usr/share/keyrings/ and reference them in the sources list using the signed-by option
  • Example: deb [signed-by=/usr/share/keyrings/example-archive-keyring.gpg] http://example.com/debian stable main

Common Patterns:

  • Add a key from a website: wget -qO - https://example.com/key.gpg | sudo apt-key add -
  • Add a key for a PPA: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys PPA_KEY_ID
  • Remove an expired key: sudo apt-key del EXPIRED_KEY_ID
  • View key details: apt-key list | grep -A 2 KEY_ID

Troubleshooting:

  • If NO_PUBKEY errors appear during apt update, you need to add the missing key
  • Use apt-key list to check if a key is already installed
  • If a key can't be fetched from the default keyserver, try an alternative one
  • For network issues, try using the hkp protocol: --keyserver hkp://keyserver.ubuntu.com:80
  • For corporate environments with proxies, set HTTP_PROXY environment variable before running apt-key

Tips & Tricks

1

Use the --keyring file option to specify a custom keyring file

2

Use the --with-fingerprint option to display the fingerprint of the key

3

Use the --with-colons option to display the key in colon-separated values format

4

Use the --with-uid option to display the key with the associated user ID

5

Use the --with-subkey option to display the key with its subkeys

Common Use Cases

Repository authentication

Add authentication keys for third-party software repositories

Key management

Manage the keys used to verify the authenticity of packages

Security maintenance

Remove expired or compromised keys from the trusted keyring

Key verification

List and inspect keys to verify their authenticity and origin

PPA setup

Add authentication keys for Personal Package Archives in Ubuntu

Related Commands

These commands are frequently used alongside apt-key or serve similar purposes:

apt
apt-get
gpg
apt-cache
dpkg
aptitude
add-apt-repository
Explore All Commands

Use Cases

1

Repository authentication

Add authentication keys for third-party software repositories

2

Key management

Manage the keys used to verify the authenticity of packages

3

Security maintenance

Remove expired or compromised keys from the trusted keyring

4

Key verification

List and inspect keys to verify their authenticity and origin

5

PPA setup

Add authentication keys for Personal Package Archives in Ubuntu

Learn By Doing

The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the apt-key command works in different scenarios.

See ExamplesTry Lab Exercises
$ apt-key
View All Commands