Removing a GPG Key Added Using the Deprecated apt-key add in Linux

Last updated: December 24, 2024

Reviewed by: Hiks Gerganov
Baeldung Pro – Linux – NPI EA (cat = Baeldung on Linux)
announcement - icon

Learn through the super-clean Baeldung Pro experience:

>> Membership and Baeldung Pro.

No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.

1. Overview

Despite vast software libraries, Linux users could encounter situations where a specific application they wish to install isn’t available in the official repository. In such scenarios, we can install these applications from unofficial repositories by adding them to the sources list. Since these repositories are signed with a pair of cryptographic keys, users are also required to add the public GPG key associated with these repositories to the system keyring. Consequently, this enables the system to install and use these applications securely.

As a result, managing GPG keys is a crucial aspect of maintaining the security of package installations and updates. Previously, the apt-key command was widely used for adding, removing, and managing these keys. However, with the improvement in security practices, apt-key has been deprecated since Ubuntu 20.04. Instead, Linux now handles GPG keys individually for each repository and stores them in the /usr/share/keyrings directory. Despite this change, many users continue to use the apt-key add command to add public GPG keys, ultimately requiring the need to learn about removing them.

In this tutorial, we’ll discuss three different methods to remove a GPG key added using the apt-key add command in Linux. Additionally, we’ll also cover how to remove a GPG key using the new, recommended method. Specifically, we use a Ubuntu system for the practical examples.

2. Prerequisites

Before beginning, we must have a Linux system with some unwanted public GPG keys added using the apt-key add command.

We can use the list subcommand of the apt-key command to identify these GPG keys:

$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/atareao-ubuntu-telegram.gpg
--------------------------------------------------
pub   rsa4096 2024-05-02 [SC]
      24D6 ECA2 F050 3C89 698F  2260 2540 2D50 9B04 2DD9
uid           [ unknown] Launchpad PPA for atareao-team

/etc/apt/trusted.gpg.d/mongodb.gpg
----------------------------------
pub   rsa4096 2022-02-23 [SC] [expires: 2027-02-22]
      39BD 841E 4BE5 FB19 5A65  400E 6A26 B1AE 64C3 C388
uid           [ unknown] MongoDB 6.0 Release Signing Key <[email protected]>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
…

For demonstration purposes, we attempt to remove the MongoDB public GPG key.

3. Remove GPG Key With apt-key

Let’s explore three methods for removing a GPG key through the deprecated apt-key command. In the first two methods, the difference is mainly in the way we identify the key to the command. The last method explores a visual way to manage GPG keys.

3.1. Using the Key Fingerprint

Each GPG key has a so-called fingerprint: a unique 10-character hex string that identifies it. We can remove a GPG key using the apt-key del command along with its fingerprint.

For instance, let’s remove the MongoDB public GPG key from the system using the apt-key del command:

$ sudo apt-key del "39BD 841E 4BE5 FB19 5A65 400E 6A26 B1AE 64C3 C388"
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

Here, 39BD 841E 4BE5 FB19 5A65 400E 6A26 B1AE 64C3 C388 is the fingerprint of the MongoDB public GPG key, which we identified from the output of the apt-key list command.

3.2. Using the Key_ID

Key_ID comprises the last eight (8) characters of a GPG key fingerprint. We can also employ this Key_ID to delete a GPG key with the apt-key del command in Linux:

$ sudo apt-key del 64C3C388

Finally, we can run the apt-key list command to confirm that the MongoDB public GPG key is removed properly:

$ sudo apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg.d/atareao-ubuntu-telegram.gpg
--------------------------------------------------
pub   rsa4096 2024-05-02 [SC]
      24D6 ECA2 F050 3C89 698F  2260 2540 2D50 9B04 2DD9
uid           [ unknown] Launchpad PPA for atareao-team

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
…

Notably, we successfully removed the MongoDB public GPG key.

3.3. Using the GUI

We can also remove a GPG key from the list of trusted software providers in Ubuntu by opening the Software & Updates application.

Then, we navigate to the Authentication tab and select the desired GPG key. Finally, We click on the Remove button to delete the specific GPG key:

Remove a GPG key added using apt-key add command in Linux via GUI

Finally, we’ve removed the MongoDB GPG key from the system.

4. Why apt-key Is Deprecated

As mentioned earlier, the apt-key command is now deprecated. The main reason for this change is that it stored keys in a global location, such as /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/ directory. This setup could grant trust to all repositories, creating possible security vulnerabilities.

To address this, Linux distributions now handle GPG keys on a per-repository basis. We save these GPG keys in the /usr/share/keyrings directory and link them directly within each repository configuration file. Overall, this method reduces the risk of exposing the system to unnecessary threats, as only trusted repositories can access their respective GPG keys.

5. Universal Way to Remove GPG Key

Let’s list the GPG public keys stored in the /usr/share/keyrings directory by executing the common ls command:

$ ls /usr/share/keyrings/ 
packages.microsoft.gpg              ubuntu-pro-cc-eal.gpg
telegram.gpg                        ubuntu-pro-cis.gpg
ubuntu-archive-keyring.gpg          ubuntu-pro-esm-apps.gpg
ubuntu-archive-removed-keys.gpg     ubuntu-pro-esm-infra.gpg
ubuntu-cloudimage-keyring.gpg       ubuntu-pro-fips.gpg
…

We can now decide which GPG key to remove from the system.

5.1. Locate and Remove Key

However, if we’re unsure which GPG key is associated with a specific software repository, we can check the contents of the sources directory:

$ ls /etc/apt/sources.list.d/
atareao-ubuntu-telegram-jammy.list  mongodb-org-6.0.list  vscode.list

Then, we can display the information of the specific repository using the cat command. For instance, let’s view the details of the VS Code repository via the cat command:

$ cat /etc/apt/sources.list.d/vscode.list 
deb [arch=amd64 signed-by=/usr/share/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/vscode stable main

Now, we can see the GPG key path assigned to the signed-by value in the content of this repository. Of course, we can use this path to remove the specific public GPG key with the rm command:

$ sudo rm /usr/share/keyrings/packages.microsoft.gpg

Therefore, we successfully removed the VS Code GPG key from the system.

5.2. Considerations

We can now run the update command to ensure the Linux is up-to-date:

$ sudo apt update
…
W: Failed to fetch https://packages.microsoft.com/repos/vscode/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
…

For demonstration purposes, we didn’t uninstall VS Code or delete its repository to display the warning shown above while updating the system, highlighting the importance of the public GPG key. Now, after uninstalling the application, we rerun the update command.

After updating the system, we can check whether the VS Code GPG key is no longer available by rerunning the ls command:

$ ls /usr/share/keyrings
telegram.gpg                        ubuntu-pro-cis.gpg
ubuntu-archive-keyring.gpg          ubuntu-pro-esm-apps.gpg
ubuntu-archive-removed-keys.gpg     ubuntu-pro-esm-infra.gpg
ubuntu-cloudimage-keyring.gpg       ubuntu-pro-fips.gpg
ubuntu-cloudimage-removed-keys.gpg  ubuntu-pro-fips-preview.gpg
…

Here, we notice that packages.microsoft.gpg is no longer available. Thus, we learned how to remove a GPG key in Linux.

6. Conclusion

In this article, we covered how to remove a GPG key added using the apt-key add command through the apt-key del command and the Software & Updates application. However, since Ubuntu deprecated apt-key, we also discussed how to securely remove public GPG keys using the rm command from the /usr/share/keyrings directory in Linux.