apt-key and trusted.gpg are slated for deprecation. Users should move on to trusted.gpg.d instead. Our guides need to be updated to reflect that. @torjunkie please feel free to look at it when you have time.
There’s discussion about moving from GPG entirely for apt…
New features
Various patterns related to dependencies, such as ?depends are now available (2.1.16)
The Protected field is now supported. It replaces the previous Important field and is like Essential, but only for installed packages (some minor more differences maybe in terms of ordering the installs).
The update command has gained an --error-on=any option that makes it error out on any failure, not just what it considers persistent ons.
The rred method can now be used as a standalone program to merge pdiff files
APT now implements phased updates. Phasing is used in Ubuntu to slow down and control the roll out of updates in the -updates pocket, but has previously only been available to desktop users using update-manager.
Phased updates is an interesting one as it supports gradually rolling out a new update to a subset of users, in case it has regressions so everybody isn’t affected at once while giving it some testing.
Thanks to your notification, now no longer using apt-key in Whonix source code since version 15.0.1.7.2.
This is non-trivial.
There are (at least) two formats of gpg public keys.
ASCII-armored, .asc.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFLYY+gBEACb5AqqsBuxzGlqSQZoua/CI/kr9YOagD9G8I+aBXoTUqyTSafy
JvamqxcV1mti0QKhyQsw43f340R9lGvdGTm7JhsESuHwbkAPxa6hOdjvNy//5NkK
[...]
-----END PGP PUBLIC KEY BLOCK-----
And also gpg public keys in binary format .gpg.
I prefer ASCII-armored over binary format since these files seem more “transparent”. Can be viewed in a simple text editor. Signing keys contents could be replaced by simple copy/paste. Though, these files cannot be interpreted without use of gpg as far as I know.
Keys for APT in /etc/apt/trusted.gpg.d/ must be in binary format.
[2] In Whonix, a wrapper to convert ASCII-armored format to binary format could be invented. Even a wrapper to simplify installation of gpg signing keys. No matter in what original format, convert if required then copy to apt signing key folder.
That would help users installing third party signing keys when they are using Whonix.
I am for [A][2] because we keep providing the more transparent format and also help users deal with any third party provided format without them getting headaches about what .asc vs .gpg is or why this matters when all they just want to do, is securely install a piece of software and get going.
apt-key is used to manage the list of keys used by apt to authenticate packages. Packages which have been authenticated using these keys will be considered trusted.
Use of apt-key is deprecated, except for the use of apt-key del in maintainer scripts to remove existing keys from the main keyring. If such usage of apt-key is desired the additional installation of the GNU Privacy Guard suite (packaged in gnupg) is required.
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Is this the accepted and safe workaround using GPG (untested)?:
Yeah seems they extended the deprecation timeline to give users a chance to move on. Here is the suggested alternative usage from the bullseye release changelog:
bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension. A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.