Use trusted.gpg.d instead of apt-key

[he7d3r]

Problem description

One of the steps at https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository is to add Docker’s official GPG key like this:

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

However, the last part generates the following warning (at least on Ubuntu 20.10):

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

Maybe it is time to use trusted.gpg.d as suggested by the warning?

[FelipeGangrel]

Same here

[noahsbwilliams]

I'm experiencing the same issue, with the additional problem that when I try to manually add the gpg file to /etc/apt/trusted.gpg.d/docker.gpg and then run sudo apt update I get this error:

The key(s) in the keyring /etc/apt/trusted.gpg.d/docker.gpg are ignored as the file has an unsupported filetype.

...with of course loads of other errors from not having a valid key.

[devs-saifur-rahman]

This worked for me

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/docker-apt-key.gpg add

Also, if you are using groovy , you should try focal instead.

[mcaci]

Hi @devs-saifur-rahman, thanks for this tip. I was stuck in the same point and it helped me to progress with the install. This may be a good update to be done in the docs. EDIT: I will try to make some time to check if I can do it and submit it.

[denis-roy]

apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04

Although adding keys directly to /etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to /usr/share/keyrings and referenced with the signed-by option in the source.list.d entry.

ADD A KEY

# Adding an ASCII Armored key (.asc key)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \
/dev/null

# Or if you prefer a one-liner
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

# Breakdown of each part
#
# curl             downloads the key 
# gpg --dearmor    creates a binary .gpg because /usr/share/keyrings cannot take .asc keys
# sudo tee         because we get permission denied if we try redirect the output of a sudo command
# /dev/null        we don't need to see the dearmored keyring on the console

ADD REPOSITORY AS A SOURCE IN /etc/apt/sources.list.d/

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ 
sudo tee /etc/apt/sources.list.d/docker-ce.list > \
/dev/null


# Of if you prefer a one-liner
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

With the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)

[vieee]

@denis-roy, are these commands same for Debian distribution as well..? [just by replacing ubuntu => debian]
Facing the same issue, while trying to install docker

sorry if it sounds too stupid, I'm new to Docker.

apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04

Although adding keys directly to /etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to /usr/share/keyrings and referenced with the signed-by option in the source.list.d entry.

ADD A KEY

# Adding an ASCII Armored key (.asc key)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \
/dev/null

# Or if you prefer a one-liner
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

# Breakdown of each part
#
# curl             downloads the key 
# gpg --dearmor    creates a binary .gpg because /usr/share/keyrings cannot take .asc keys
# sudo tee         because we get permission denied if we try redirect the output of a sudo command
# /dev/null        we don't need to see the dearmored keyring on the console

ADD REPOSITORY AS A SOURCE IN /etc/apt/sources.list.d/

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ 
sudo tee /etc/apt/sources.list.d/docker-ce.list > \
/dev/null


# Of if you prefer a one-liner
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

With the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)

[denis-roy]

@vieee, the procedure is the same for Debian 9 (Stretch) / Ubuntu 16.04 (Xenial) onward. For more information, refer to PR #11990

Here are the commands you need to execute to install Docker on Debian

⚠️ Make sure you copy paste the commands, we are all prone to typos! :)

INSTALLING DEPENDENCIES

sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent

ADDING THE KEY

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

ADDING THE REPOSITORY

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null

UPDATING APT & INSTALLING DOCKER

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

[AkashicSeer]

What group of fools decided to deprecate something without first having a replacement or even a suggested replacement, or EVEN DOCUMENTING THIS HORSESHIT????

[denis-roy]

@AkashicSeer, please remain civil.

Deprecated means you can still use the tool but its usage is discouraged. The way Debian has decided to deal with third-party keys and repositories is well documented in their Wiki.

The apt-key tool will only disappear in an OS version due to be released somewhere in 2022. When this time comes, nobody is forcing you to upgrade to this version of the OS if you want to carry on using apt-key for as long as you wish.

Simply put: Nobody is forcing you to change and if you want to change, there is plenty of time to comply.

Hint: You might want to change. The proposed way is much more secure: It assign a specific key to a specific repository as opposed to now where any package is checked against any key in your keyring.

The group of fools you are referring to is a large body of able open source developers who work mostly without pay to provide the world with a free operating system that anybody, and that includes you, is at complete liberty to use... Or not.

If you feel you can contribute ideas or code towards a better way to manage third-keys and repository, as we say in the open source world: Pull Requests are welcome.

[Pem7x]

To install Docker for Kali 2020.1 debian amd64 run the following:
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null

then:

echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

sudo apt-get update

sudo apt-get install docker-ce

It worked for me by Hard coding.

[denis-roy]

@Pema-Sereka, hardcoding amd64 and buster might work for you but will fail for those who try to install Docker on a x86 or armel/armhf distribution of Kali

Evaluating $(dpkg --print-architecture) and $(lsb_release -cs) in the following command ensures a wider coverage :)

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null