While upgrading to Ubuntu 24.04 some of the sources.list files were (automatically) converted to the new APT822 standard. However others were left untouched (or deactivated).
For all of you out there, here are some of my findings while doing the file conversion:
Let’s take the docker repo as an example (original description here):
linux # cat /etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stableMake sure the gpg file downloaded from docker is in ASCII mode:
linux # curl -s -o - https://download.docker.com/linux/ubuntu/gpg | head -n1
-----BEGIN PGP PUBLIC KEY BLOCK-----
Sometime those file are available in binary format only, and need to be converted in order to be usable in the embedded version (we’ll get to that a little further down).
Converted to the new format, the same file looks like:
Enabled: yes
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: noble
Components: stable
Signed-By: /etc/apt/keyrings/docker.ascSome package providers ship their packages including the current GPG key as file, stored at a specific location (referenced by the Signed-By config option). By doing so the GPG will automatically be updated (in case of expiry) and updates will continue to work.
However there may be situations where it may come in handy to have all configuration in one place (or config file), so you may want to consider to include the GPG key into your apt sources.
But keep in mind that you’ll manually need to update the key if it changes!
Including key into config
You can also include the key into the config itself, by inserting the armored (ASCII) version (make sure to start every line with a space!):
Enabled: yes
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: noble
Components: stable
Signed-By: -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
<...>
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----
One way to do this could be to prepare the file like above, but only add the line “Signed-By:” at the very end (without value), and after that just append the key (make sure the format is ASCII and starts with “—–BEGIN PGP PUBLIC KEY BLOCK—–“):
linux # curl -o - https://download.docker.com/linux/ubuntu/gpg | sed -e s+^+' '+ >> /etc/apt/sources.list.d/docker.sourcesIn case you only got a binary version (see the following check using “file” command) you can convert this using:
linux # file /etc/apt/trusted.gpg.d/docker.gpg
/etc/apt/trusted.gpg.d/docker.gpg: OpenPGP Public Key Version 4, Created Wed Feb 22 18:36:26 2017, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
linux # gpg -o - --enarmor /etc/apt/trusted.gpg.d/docker.gpg | sed -e s+'PGP ARMORED FILE'+'PGP PUBLIC KEY BLOCK'+The gpg –enarmor command more or less just converts the binary file to base64 and adds header/footer. Therefore gpg has no idea about the real contents of the file and just labels it “PGP ARMORED FILE” in header/footer, so we need to replace those lines with the correct file type “PGP PUBLIC KEY BLOCK”. “sed” takes care of this modification.