How do I get gpg to generate a GPG Key public ring rather than a keybox?

Asked 4/6, 2020 at 17:38 Answered 17/5, 2022 at 17:20

I'm trying to take a public key and add it to /etc/apt/trusted.gpg.d/, but I'm getting an incompatibility issue.

I run:

gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/example.gpg --import file.asc

Which works.

But then when I use apt-key list it says the key is incompatible.

Looking at the file types, my example.gpg is of type GPG keybox database version 1, where as the other apt keys are of type GPG key public ring.

How do I get gpg to generate a GPG key public ring rather than a keybox?

Mom answered 4/6, 2020 at 17:38 Comment(1)

Note that apt-key is deprecated – Hulbig 1/1, 2021 at 17:2

I also recently stumbled across this issue, and after digging into the source code, I found pretty much the perfect solution.

You can just specify the keyring format with a prefix, so gnupg-ring: or gnupg-kbx:. In your case, the command would be:

gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/example.gpg --import file.asc

For this method to work, disable the keyboxd daemon (enabled by default on new GnuPG home directories since GnuPG 2.4.1); otherwise all public keys are unconditionally stored in the one SQLite database (~/.gnupg/public-keys.d/pubring.db) and --no-default-keyring and --keyring arguments are silently ignored:

comment-out `use_keyboxd` in `~/.gnupg/common.conf` if file exists

Caldron answered 17/5, 2022 at 17:20 Comment(1)

I came here because use_keyboxd broke my scripts. Ended up using gpgv instead of gpg. (It's a signature verification tool, a stripped down version of gpg.) – Anfractuosity 19/7 at 14:47

I know that this is old, but since I spent some time finding a solution, I am going to share it.

GnuPG has always been a pain, when it comes to automation and there doesn't seem to be a way, to make it use the old keyring v4 format. However it can be done by re-exporting the key. Here an ugly one-liner with the MariaDB repo as an example:

# cd /etc/apt/trusted.gpg.d/ && wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | \
  gpg --no-default-keyring --keyring=$(pwd)/mariadb.gpg --batch --import - && \
  gpg --no-default-keyring --keyring=$(pwd)/mariadb.gpg --batch --output $(pwd)/mariadb.gpg~ --export --yes && \
  mv $(pwd)/mariadb.gpg~ $(pwd)/mariadb.gpg; chmod 644 $(pwd)/mariadb.gpg

This can be done much easier with apt-key and its --keyring option (tested on Debian Buster 10.7).

$ wget -q -O - https://mariadb.org/mariadb_release_signing_key.asc | \
  sudo apt-key --keyring /etc/apt/trusted.gpg.d/mariadb.gpg add -

If you look at the apt-key script you will find something similar to the one-liner above (but probably more robust). Note that apt-key will complain and fail, if you use the suffix .asc instead of .gpg for the trusted file. That seems to be a bug, that can be avoided with a previous touch on the file.

Habergeon answered 26/12, 2020 at 19:22 Comment(0)

Recommended topics

Hot tags