In the past, if you wanted to install software from an Ubuntu PPA in Debian, the approach was to

  1. import/trust the developer's GPG key from keyserver.ubuntu.com,

    $ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com E58A9D36647CAE7F
  2. then add the repository to /etc/apt/sources.list.d/...

    # /etc/apt/sources.list.d/papirus-ppa.list
    deb http://ppa.launchpad.net/papirus/papirus/ubuntu focal main

(Off the top of my head, examples can be found in this Ubuntu docs wiki for mkusb or the Papirus icon theme readme.)


The problem is that this approach now produces deprecation warnings (apt-key was deprecated over a year ago):

$ apt-key adv ...
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))

Ninja edit

See this answer below for yet another, separate deprecation in this apt-key command!


The new approach (as exemplified by, say, Docker) is twofold:

  1. Save the developer's GPG key to disk,

    $ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  2. then specify the path to that GPG key when defining a new APT source:

    # /etc/apt/sources.list.d/docker.list
    deb [... signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable
             ⬑------------------ this part is new -----------------⬏

Step 1 is the part that replaces apt-key, but it doesn't seem possible to fetch individual GPG keys off of keyserver.ubuntu.com. Is it possible to adapt this approach for Ubuntu PPAs? If not, how can Ubuntu PPAs be added as software sources in Debian without the use of apt-key?


apt-key adv basically passes CLI arguments/options directly to gpg, but only after setting up a temporary keyring. You can do the same manually with:

$ export GNUPGHOME="$(mktemp -d)"  # optional (skipping this means keys will be imported to your GPG keyring)
$ gpg --recv-keys --keyserver keyserver.ubuntu.com 54B8C8AC
$ gpg --export 54B8C8AC | sudo tee /usr/share/keyrings/mkusb-archive-keyring.gpg
$ cat <<-SOURCE | sudo tee /etc/apt/sources.list.d/mkusb.list
    deb [signed-by=/usr/share/keyrings/mkusb-archive-keyring.gpg] http://ppa.launchpad.net/mkusb/ppa/ubuntu focal main

(apt-key is just a shell script, so you can examine the code yourself in your favorite editor; e.g., vim $(which apt-key).)

If it's not working...

At first, I was receiving this error:

$ sudo apt update
Get:12 http://ppa.launchpad.net/papirus/papirus/ubuntu focal InRelease [18.0 kB]
Err:12 http://ppa.launchpad.net/papirus/papirus/ubuntu focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E58A9D36647CAE7F

which turned out to be a file permissions issue:

$ ls -l /usr/share/keyrings/*
-rw-r--r-- 1 root root     3375 Nov 22 21:38 /usr/share/keyrings/filebot-archive-keyring.gpg
-rw-r--r-- 1 root root     1124 Nov 22 21:38 /usr/share/keyrings/mkusb-archive-keyring.gpg
-rw------- 1 root root     1126 Nov 29 08:15 /usr/share/keyrings/papirus-archive-keyring.gpg

Be sure you are saving developer GPG keys with 644 permissions.

Another problem

From the gpg(1) manpage:

       --keyserver name
          This option is deprecated - please use the --keyserver in ‘dirmngr.conf’ instead.

Apparently the original approach has been doubly deprecated! AFAIK gpg does not issue warnings about the use of this CLI option (yet) but a proper solution to this problem would seem to look something like this?

$ echo "keyserver hkp://keyserver.ubuntu.com" >> "${GNUPGHOME}/dirmngr.conf"
$ gpgconf --kill dirmngr
$ gpg --recv-keys 54B8C8AC

except I tried this and got

gpg: keyserver receive failed: Connection timed out

So if anyone has any ideas, I'm all ears.


You have at least three options:


The Debian package software-properties-common contains apt-add-repository. Simply run sudo apt-add-repository ppa:<user>/<ppa-name> and it will add the repository to your APT sources and import the key.

Get key from keyserver

Import the key into a separate keyring that you then move to the place where APT expects it:

$ echo "keyserver hkps://keyserver.ubuntu.com" >> "${GNUPGHOME}/dirmngr.conf"
$ gpgconf --kill dirmngr
# I don't quite understand why this failed for you. Maybe a temporary network fluke or a firewall issue?
$ gpg --no-default-keyring --keyring=./papirus.gpg --recv-keys 54B8C8AC
$ sudo mv papirus.gpg /etc/apt/trusted.gpg.d/
$ sudo chown root:root /etc/apt/trusted.gpg.d/papirus.gpg
$ sudo chmod 644 /etc/apt/trusted.gpg.d/papirus.gpg

Manually download key

If you cannot get the public key from a keyserver for whatever reason but you can download it manually, then import the downloaded file papirus.pub like this:

$ echo "keyserver hkps://keyserver.ubuntu.com" >> "${GNUPGHOME}/dirmngr.conf"
$ gpgconf --kill dirmngr
$ gpg --no-default-keyring --keyring=./papirus.gpg --import ./papirus.pub
$ sudo mv papirus.gpg /etc/apt/trusted.gpg.d/
$ sudo chown root:root /etc/apt/trusted.gpg.d/papirus.gpg
$ sudo chmod 644 /etc/apt/trusted.gpg.d/papirus.gpg

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.