Nerd, engineer, traditional wet shaver

Legacy Keyring Deprecated

In the process of setting up a new Raspberry Pi router, I discovered that I had a repository key stored in the wrong location on PiOS Bookworm.

The key is stored in an old location that has since been updated, however it is flagged as an issue when updating software through Apt.

Identifying the Error

After running the following:

sudo apt update

I received the following line saying that a key was deprecated.

41 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

The updating of software will still continue, but everytime I run the update command, I received the error.

Digging around the internet archives and numerous websites, I came across the following solution. While this isn’t my solution, I’m sharing here for when I need the solution in the future.

What is the problem?

Keys were previously stored in:


They are now stored in:


In Bookworm, most of the keys have been migrated to the new location, however one key seems to remain in the old location.

Steps to Solve

Since the old location is only deprecated, it is still checked when running any of the apt commands. So we need to move the key to the new location, however if we simply copy it to the new location, then remove the key, both keys will be removed and we will be further behind than where we are.

Step One

We need to list the key so we know which one to copy.

sudo apt-key list | grep -A4 "trusted.gpg$"

you will receive something similar to the following:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub   rsa2048 2012-04-01 [SC]
      A0DA 38D0 D76E 8B5D 6388  7281 6591 938D FD90 EE2D
uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <>

We need to note down the last 8 hexadecimal characters of the key (in this instance FD90EE2D) for use in the next couple of commands.

Step Two

We copy the key to a temporary location to let us remove the original using appropriate commands.

sudo apt-key export FD90EE2D | sudo gpg --dearmor -o /tmp/raspi.gpg

Double check that the key has been copied:

file /tmp/raspi.gpg 

You should receive something similar to the following. If not, double check you typed the last 8 characters of the key correctly. I made this mistake first time. It is relatively easy to do if you type it out.

/tmp/raspi.gpg: OpenPGP Public Key Version 4, Created Sun Apr 1 21:02:33 2012, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate

Now delete the old key:

sudo apt-key del FD90EE2D

Step Three

The third and final step is to move the exported key into the correct location.

sudo mv /tmp/raspi.gpg /etc/apt/trusted.gpg.d/

That’s all folks

Once you have completed all the above steps, I run the ”’apt update”’ command again to check that the key has been moved, and I am no longer reciving the ”’DEPRECATED”’ comments.

You should been good to go.