• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Plesk Repository GPG Key Problems: apt-key depreciated

petersperplesked

New Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
18.0.44
Plesk Repository GPG Key Problems: apt-key depreciated

We run an Ubuntu 22.04 web server with PSA 18.0.44.

We noted the following error messages relating to the depreciation of apt-key when running routine package udate commands.

# apt-get update
.....
Reading package lists... Done
W: http://autoinstall.plesk.com/PMM_0.1.11/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/pool/PSA_18.0.44_9009/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP74_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packages.wazuh.com/4.x/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP80_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.


and

# plesk installer --select-release-latest --upgrade-installed-components
.....
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
.....
Reading package lists...
W: http://autoinstall.plesk.com/pool/PSA_18.0.44_9009/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/SITEBUILDER_18.0.29/dists/all/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PMM_0.1.11/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packages.wazuh.com/4.x/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP74_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP80_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP81_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Detecting installed product components.
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
Synchronizing the Debian APT package index files...

.....
Reading package lists...
W: http://autoinstall.plesk.com/pool/PSA_18.0.44_9009/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PMM_0.1.11/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP74_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://autoinstall.plesk.com/PHP80_17/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://packages.wazuh.com/4.x/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Retrieving information about the installed license key...
You already have the latest version of product(s) and all the selected components installed. Installation will not continue.


We found a possible work around, yet it requires a link for downloading the GPG Key of the Plesk Repository.

Generically:

# wget https://the-package-repository-public-key.link/the-package-repository-public-key-file.gpg.key
# gpg --no-default-keyring --keyring ./the-package-repository-public-keyring.gpg --import the-package-repository-public-key-file.gpg.key
# gpg --no-default-keyring --keyring ./the-package-repository-public-keyring.gpg --export > ./the-package-repository.gpg
# mv ./the-package-repository.gpg /etc/apt/trusted.gpg.d/
# rm -rf the-package-repository-public-key-file.gpg.key
# rm -rf the-package-repository-public-keyring.gpg
# apt clean && apt-get clean && apt update && apt-get update


However, we are unable to find any LINK for the GPG Key of the Plesk Repository.

Please tell us what the link to the GPG Key of the Plesk Repository is if it exists and if Plesk Tech agree that technqiue is most appropriate and effective.

Elsewise, please provide the required command line instructions of how we ought to fix the problem most appropriately and effectively.


Despite the error messages, both the apt-get and plesk "update" commands work to properly update associated packages; for the time being.

Yet it is unknown how long Debian/Ubuntu will tolerate the depreciated "apt-key" methodology.

In our opinion, Plesk ought to include in the next update to PSA a routine that automatically properly and permanently fixes the apt-key depreciation problem where appropriate (e.g. updated Debian/Ubuntu servers) with optimal migration to the new Trusted GPG Keyrings method employed by Debian/Ubuntu after the depreciation of apt-key.

A response from Plesk Staff would be appreciated.
 
When queried for a CLI fix to the same "apt-key" v "gpg" package repository public key warning message upon "apt-get update", Wazuh responded with the following recommended CLI solution:

> curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import && chown _apt /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg

This works perfectly for updating the Wazuh Package Repository as a "gpg" public key "patch" to an existing "apt-key" public key.

That is to say, it seems to work as long as:

a) the "apt-key" public key is already added to the apt-key list
b) the "apt-key" public key is not deleted from the apt-key list


I am hoping Wazuh will also include within it's next package update an automated process of implementing an "gpg" public key only (without maintaining a concurrent active, albeit depreciated, "apt-key" public key) on appropriate servers (eg: Debian 11+/Ubuntu 22+).

Generically, as a "gpg" public key "patch" to an existing "apt-key" public key for any package repository, the following ought to work:

> curl -s https://packagerepo.url/packagerepopublickey.gpg | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/packagerepopublickey.gpg --import && chown _apt /etc/apt/trusted.gpg.d/packagerepopublickey.gpg

Thus, for Plesk, the following ought to work:

> curl -s https://autoinstall.plesk.com/plesk.gpg | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/plesk.gpg --import && chown _apt /etc/apt/trusted.gpg.d/plesk.gpg

It would be good if Plesk technicians respond to verify whether they think the above method is an appropriate method or elsewise respond to advise what they consider the most appropriate method.

Again, I am hoping Plesk will also include within it's next package update an automated process of implementing an "gpg" public key only (without maintaining a concurrent active, albeit depreciated, "apt-key" public key) on appropriate servers (eg: Debian 11+/Ubuntu 22+).
 
*reposted to maintain CLI formatting*

When queried for a CLI fix to the same "apt-key" v "gpg" package repository public key warning message upon "apt-get update", Wazuh responded with the following recommended CLI solution:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg --import && chown _apt /etc/apt/trusted.gpg.d/GPG-KEY-WAZUH.gpg

This works perfectly for updating the Wazuh Package Repository as a "gpg" public key "patch" to an existing "apt-key" public key.

That is to say, it seems to work as long as:

a) the "apt-key" public key is already added to the apt-key list
b) the "apt-key" public key is not deleted from the apt-key list


I am hoping Wazuh will also include within it's next package update an automated process of implementing an "gpg" public key only (without maintaining a concurrent active, albeit depreciated, "apt-key" public key) on appropriate servers (eg: Debian 11+/Ubuntu 22+).

Generically, as a "gpg" public key "patch" to an existing "apt-key" public key for any package repository, the following ought to work:

# curl -s https://packagerepo.url/packagerepopublickey.gpg | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/packagerepopublickey.gpg --import && chown _apt /etc/apt/trusted.gpg.d/packagerepopublickey.gpg


Thus, for Plesk, the following ought to work:

# curl -s https://autoinstall.plesk.com/plesk.gpg | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/plesk.gpg --import && chown _apt /etc/apt/trusted.gpg.d/plesk.gpg

It would be good if Plesk technicians respond to verify whether they think the above method is an appropriate method or elsewise respond to advise what they consider the most appropriate method.

Again, I am hoping Plesk will also include within it's next package update an automated process of implementing an "gpg" public key only (without maintaining a concurrent active, albeit depreciated, "apt-key" public key) on appropriate servers (eg: Debian 11+/Ubuntu 22+).
 
It would be good if Plesk technicians respond to verify whether they think the above method is an appropriate method or elsewise respond to advise what they consider the most appropriate method.

Again, I am hoping Plesk will also include within it's next package update an automated process of implementing an "gpg" public key only (without maintaining a concurrent active, albeit depreciated, "apt-key" public key) on appropriate servers (eg: Debian 11+/Ubuntu 22+).
 
Back
Top