Warning: apt-key is deprecated

Please don’t “Manage keyring files in trusted.gpg.d instead”

$ wget -qO - https://package.perforce.com/perforce.pubkey | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

I encountered this during the past week, and I found this warning / error message (depending on your version of Debian or Ubuntu) unhelpful.

What does it mean?

I found good explanations [here] and [here], which boil down to “it’s not a good idea to register keyring files in a way that allow your computer to install a package signed with a different source repository’s keys”. Managing the files in trusted.gpg.d is functionally equivalent to using apt-key to install the key, which has been deprecated precisely because it’s a security risk.

So what should we do instead?

Simply put, instead of installing keyring files with apt-key, we should store them and explicitly configure our apt sources to exclusively verify their packages’ signatures with their own keys.

You can follow the instructions in either of the two sources linked above, but I find it easier and clearer to do this with a bash script, so here we go:

#!/bin/bash

ENTRY_NAME=""
REPO_SOURCE=""
GPG_KEY_URL=""
REPO_COMPONENT="stable"  # Default to stable if not specified

function usage() {
    echo "Usage: $0 [options]"…