{{Header}}
{{title|
title=APT Signing Key Folders and Other Development Notes
}}
{{#seo:
|description=/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
{{dev_apt_mininav}}
{{intro|
/etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d, /usr/share/keyrings
}}
= APT Keyring Folders =
APT by default considers only signing keys in:

* file <code>/etc/apt/trusted.gpg</code>
* folder <code>/etc/apt/trusted.gpg.d</code>

Signing keys in folder <code>/usr/share/keyrings</code> are ignored by default by APT, unless the <code>signed-by</code> keyword is used in APT sources files (i.e. in configuration file <code>/etc/apt/sources.list</code> or in configuration snippet drop-in folder <code>/etc/apt/sources.list.d</code>).

Example <code>signed-by</code> keyword use in one-line-style sources:

<pre>
[signed-by=/usr/share/keyrings/derivative.asc]
</pre>

Example <code>Signed-By</code> keyword use in deb822-style sources:

<pre>
Signed-By: /usr/share/keyrings/derivative.asc
</pre>

Example of a complete one-line-style deb sources line with the <code>signed-by</code> keyword.

<pre>
deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free
</pre>

Example of a complete deb822-style deb sources stanza with the <code>signed-by</code> keyword.

<pre>
Types: deb
URIs: https://deb.kicksecure.com
Suites: trixie
Components: main contrib non-free
Enabled: yes
Signed-By: /usr/share/keyrings/derivative.asc
</pre>

= Repository Migration =
== Background on Debian APT Origin and Label ==
When Debian's APT sees a repository for the first time, it notes its <code>Origin</code> and <code>Label</code> fields. Should these change, Debian will show a warning and not proceed using any repository with a changed <code>Origin</code> or <code>Label</code> until the user accepts the change using <code>sudo apt update --allow-releaseinfo-change</code>.

== deb822-style sources files ==

The older one-line-style sources format has been deprecated and may be removed in the future. <ref>https://web.archive.org/web/20251029071653/https://manpages.debian.org/unstable/apt/sources.list.5.en.html states under the section "ONE-LINE-STYLE FORMAT": "This format is deprecated and may eventually be removed, but not before 2029."</ref> Starting in Kicksecure 18, the deb822-style format is used.

Numerous upstream projects have not yet migrated to the new format, sometimes necessitating forking projects and attempting to contribute the feature upstream later. Some upstream PRs and issues related to this:

* https://github.com/grml/grml-debootstrap/issues/203
* https://github.com/grml/grml-debootstrap/pull/351
* https://salsa.debian.org/live-team/live-build/-/merge_requests/436
* https://lists.debian.org/debian-devel/2025/09/msg00037.html
** https://lists.debian.org/debian-devel/2025/09/msg00044.html Quote: "Please use a .pgp extension instead of .gpg (which is now just a backwards compatibility symlink that will eventually go away)."
* https://github.com/QubesOS/qubes-issues/issues/10494

== Forum Discussion ==
https://forums.whonix.org/t/e-repository-tor-https-deb-kicksecure-com-bullseye-inrelease-changed-its-origin-value-from-kicksecure-to-whonix/13810

= See Also =
* [[Dev/APT Pinning]]
* [[Dev/APT Repository]]
* [https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302 <code>signed-by</code> keyword forum discussion]

= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Design]] [[Category:Development]]