Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
VirtualBox key is store in deprecated legacy keyring
546 views
Skip to first unread message
Rick Thomas
Jun 19, 2023, 11:20:04 PM6/19/23
to
I recently upgraded one of my Debian Bullseye machines to Bookworm. The machine's main purpose is to run Virtualbox to allow me to experiment on disposable VMs rather than real hardware.
Now when I do "apt update" I get this message:
.W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
I've thoroughly RTFM in search of a clue as to how to fix this, but I can't figure out what I'm supposed to do.
Has anybody else seen this? If so, what did you do? And did it help?
Thanks in advance!
Rick
PS: As an aside, it appears that the VirtualBox developers at Oracle waited until Bookworm was officially released before they started working on getting a bookworm version of their software, so I'm still using the Bullseye version -- which seems to work fine. Presumably, fixing this problem would be one of the things they might want to do before releasing a new version... (One can hope, anyway...) Would it be worth filing a bug-report to Oracle? If so, does anyone know how to do that?
Now when I do "apt update" I get this message:
.W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
I've thoroughly RTFM in search of a clue as to how to fix this, but I can't figure out what I'm supposed to do.
Has anybody else seen this? If so, what did you do? And did it help?
Thanks in advance!
Rick
PS: As an aside, it appears that the VirtualBox developers at Oracle waited until Bookworm was officially released before they started working on getting a bookworm version of their software, so I'm still using the Bullseye version -- which seems to work fine. Presumably, fixing this problem would be one of the things they might want to do before releasing a new version... (One can hope, anyway...) Would it be worth filing a bug-report to Oracle? If so, does anyone know how to do that?
Jeffrey Walton
Jun 19, 2023, 11:30:04 PM6/19/23
to
On Mon, Jun 19, 2023 at 11:15 PM Rick Thomas <rick....@pobox.com> wrote:
>
> I recently upgraded one of my Debian Bullseye machines to Bookworm. The machine's main purpose is to run Virtualbox to allow me to experiment on disposable VMs rather than real hardware.
>
> Now when I do "apt update" I get this message:
> .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
> keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>
> I've thoroughly RTFM in search of a clue as to how to fix this, but I can't figure out what I'm supposed to do.
>
> Has anybody else seen this? If so, what did you do? And did it help?
I _think_ the key should be stored in its own file under
>
> I recently upgraded one of my Debian Bullseye machines to Bookworm. The machine's main purpose is to run Virtualbox to allow me to experiment on disposable VMs rather than real hardware.
>
> Now when I do "apt update" I get this message:
> .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
> keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>
> I've thoroughly RTFM in search of a clue as to how to fix this, but I can't figure out what I'm supposed to do.
>
> Has anybody else seen this? If so, what did you do? And did it help?
/etc/apt/trusted.gpg.d. Maybe something like
/etc/apt/trusted.gpg.d/virtual-box.gpg.
Also see https://wiki.debian.org/SecureApt and the part:
apt-key is a program that is used to manage a keyring of OpenPGP keys
for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg
(not to be confused with the related but not very interesting
/etc/apt/trustdb.gpg). apt-key can be used to show the keys in the
keyring, and to add or remove a key. In more recent Debian GNU/Linux
versions (Wheezy, for example), the keyrings are stored in specific
files all located in the /etc/apt/trusted.gpg.d directory. For example,
that directory could contain the following files:
debian-archive-squeeze-automatic.gpg or
debian-archive-wheezy-automatic.gpg. Incidentally, both files are
provided by the debian-archive-keyring package.
Jeff
Rick Thomas
Jun 20, 2023, 3:20:06 AM6/20/23
to
On Mon, Jun 19, 2023, at 8:27 PM, Jeffrey Walton wrote:
> On Mon, Jun 19, 2023 at 11:15 PM Rick Thomas <rick....@pobox.com> wrote:
>>
>> Now when I do "apt update" I get this message:
>> .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
>> keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>> Has anybody else seen this? If so, what did you do? And did it help?
> I _think_ the key should be stored in its own file under
> /etc/apt/trusted.gpg.d. Maybe something like
> /etc/apt/trusted.gpg.d/virtual-box.gpg.
This squares with what I get from RTFM, and I'm glad to hear the confirmation, but...
> I _think_ the key should be stored in its own file under
> /etc/apt/trusted.gpg.d. Maybe something like
> /etc/apt/trusted.gpg.d/virtual-box.gpg.
Where can I get the text to put into /etc/apt/trusted.gpg.d/virtual-box.gpg ? Currently the key seems to be part of /etc/apt/trusted.gpg. Is there some way to use apt-key to extract that part of it? If not, I forget where I got the original from (somewhere on the Oracle website, I guess?) Can someone point me in the right direction?
> Also see https://wiki.debian.org/SecureApt:
Thanks!
Rick
Frank
Jun 20, 2023, 7:30:06 AM6/20/23
to
Op 20-06-2023 om 08:53 schreef Rick Thomas:
deprecated. These days, another method is preferred: adding
[signed-by=<path>] to the sources.list line and putting the key in
/usr/share/keyrings or /etc/apt/keyrings.
> This squares with what I get from RTFM, and I'm glad to hear the confirmation, but...
> Where can I get the text to put into /etc/apt/trusted.gpg.d/virtual-box.gpg
Here: https://www.virtualbox.org/download/oracle_vbox_2016.asc
Got that from https://www.virtualbox.org/wiki/Linux_Downloads
They suggest adding the source line to /etc/apt/sources.list, which is
not what I would do. You should really put in a separate file in
/etc/apt/sources.list.d/. This is what I would do:
sudo tee /etc/apt/sources.list.d/virtualbox.list <<-EOT
deb [arch=amd64 signed-by=/usr/share/keyrings/virtualbox.asc]
https://download.virtualbox.org/virtualbox/debian bullseye contrib
EOT
Followed by:
sudo wget -O /usr/share/keyrings/virtualbox.asc
https://www.virtualbox.org/download/oracle_vbox_2016.asc
No need to dearmor.
Regards,
Frank
>
>
> On Mon, Jun 19, 2023, at 8:27 PM, Jeffrey Walton wrote:
>> On Mon, Jun 19, 2023 at 11:15 PM Rick Thomas <rick....@pobox.com> wrote:
>>>
>>> Now when I do "apt update" I get this message:
>>> .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
>>> keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>>> Has anybody else seen this? If so, what did you do? And did it help?
>
>> I _think_ the key should be stored in its own file under
>> /etc/apt/trusted.gpg.d. Maybe something like
>> /etc/apt/trusted.gpg.d/virtual-box.gpg.
That was the method suggested after using /etc/apt/trusted.gpg became
>
> On Mon, Jun 19, 2023, at 8:27 PM, Jeffrey Walton wrote:
>> On Mon, Jun 19, 2023 at 11:15 PM Rick Thomas <rick....@pobox.com> wrote:
>>>
>>> Now when I do "apt update" I get this message:
>>> .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
>>> keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>>> Has anybody else seen this? If so, what did you do? And did it help?
>
>> I _think_ the key should be stored in its own file under
>> /etc/apt/trusted.gpg.d. Maybe something like
>> /etc/apt/trusted.gpg.d/virtual-box.gpg.
deprecated. These days, another method is preferred: adding
[signed-by=<path>] to the sources.list line and putting the key in
/usr/share/keyrings or /etc/apt/keyrings.
> This squares with what I get from RTFM, and I'm glad to hear the confirmation, but...
> Where can I get the text to put into /etc/apt/trusted.gpg.d/virtual-box.gpg
Got that from https://www.virtualbox.org/wiki/Linux_Downloads
They suggest adding the source line to /etc/apt/sources.list, which is
not what I would do. You should really put in a separate file in
/etc/apt/sources.list.d/. This is what I would do:
sudo tee /etc/apt/sources.list.d/virtualbox.list <<-EOT
deb [arch=amd64 signed-by=/usr/share/keyrings/virtualbox.asc]
https://download.virtualbox.org/virtualbox/debian bullseye contrib
EOT
Followed by:
sudo wget -O /usr/share/keyrings/virtualbox.asc
https://www.virtualbox.org/download/oracle_vbox_2016.asc
No need to dearmor.
Regards,
Frank
0 new messages