Adding Extra apt-get Lists

With Ubuntu, there are many different ways to add additional apt-get lists, either directly by sudo nano ..., sudo add-apt-repository ppa:nginx/main, etc.

The apt-key deprecated fiasco



curl -sS <url to the key to download> | gpg --dearmor | sudo tee /usr/share/keyrings/<program/repo name>.gpg

As of, I believe, the start of 2022 or 2023, everyone started getting a wonderful Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). message when updating their systems. The manual didn’t provide a simple solution, for sure, and there were little to no how-to’s online on what to do to mitigate this issue.

Currently, there are a ton of “how-to’s” that may or may not be accurate in handling this, as well, as there are a few different ways to “properly” handle the signing keys that are required with installing through apt and its variants.

I have modified the rest of this document, and included explicit directions on how to download and properly list the apt repositories in your lists.

The ways

First, there’s the proper way to add the key to your Ubuntu/Debian system. We’ll use Brave’s install directions as an example.

# First, you make sure you have curl installed
sudo apt install curl

# Then, using curl, you pipe the URL at the end to the file location under ``/usr/share/keyrings/``
# This is only one way of downloading the key.
sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg

# Next, with this format, you have to include the "[signed-by=...]" bit, and it has to point to the downloaded file from above
echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] stable main" | sudo tee /etc/apt/sources.list.d/brave-browser-release.list

sudo apt update && sudo apt install brave-browser

Next, there’s having to dearmor the apt-key, if its in the incorrect format. Using the example from itsfoss’s site:

curl -sS | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/spotify.gpg

itsfoss’s site has a nifty, and detailed way of taking keys that you add via apt-key, and then export it to a file location. That was the process I used earlier for an older repo that I was trying to install from, that neither of the above methods worked for.

# First, I went ahead and used the apt-key add command:
curl -sS | sudo apt-key add -

# Then, I exported the key to its own file. first by finding the keyid:
sudo apt-key list

# Which gave this output:
pub   rsa2048 2020-07-02 [SC] [expires: 2025-01-26]
    9D8C 3420 2C34 5C69 8A70  BF52 C609 6B07 DE3A E8C0
uid           [ unknown] home:Hezekiah OBS Project <home:[email protected]>

# The info we need is the last eight characters from the second line above: DE3A E8C0
# Copy and paste that into the following command:
sudo apt-key export DE3AE8C0 | sudo gpg --dearmour -o /usr/share/keyrings/Cockpit-Samba-AD-DC.gpg

# Then, if you havent yet created the .list file, enter:
echo "deb [signed-by=/usr/share/keyrings/Cockpit-Samba-AD-DC.gpg] ./" | sudo tee /etc/apt/list.d/Cockpit-Samba-AD-DC.list

And then update and install the software you want to use.

Release-Specific Lists

When adding an apt-get list to your system, one nice way to save your code in your notes or to automate through scripting is not by specific system names, like Ubuntu’s Xenial, and Debian’s Jessie release names; but rather to insert code into your echo so that it works for you!

Using NGINX’s directions for adding their repo to your linux server (I wont include all of the directions, as you can visit the link to see the full details):

curl | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

You’ll notice the use of $(lsb_release -cs) in this example, which utilizes the program lsb_release in Ubuntu in order to get the desired verbiage for your particular OS.

There are a few other means of getting the desired info, all depending on that repo’s specific requirements and layout that they have chosen.

  1. Most all apt-get .list lines begin with deb or deb-src

  2. Then, you need to include the key’s file location: [signed-by=/usr/share/keyrings/<filename>.gpg] or [signed-by=/etc/apt/keyring.d/<filename>.gpg]

  3. Then, the html address of the library

  4. Next, usually the name of the release you are using, such as xenial for 16.04 Ubuntu or jessie for Debian 8, which in Debian/Ubuntu world is usually accessible via lsb_release -cs

  5. And last, there are names for the various extra sections you can discern between - main, extras or whatever else the library maintainer uses.


The key text is $(lsb_release -sc). When you input $( ) it tells bash to execute the command inside the parenthesis, and use the output inside the echo text.


Ubuntu seems to have a small habit of taking industry- and community-standardized processes and libraries and applications and putting - or sometimes shoving - their own special twist on things.

Take Ubuntu’s PPA system. As a developer on Ubuntu’s Launchpad website, you get your own PPA address, apt repository, and a central means of distributing your code to Ubuntu Users.

Its super simple to add these repo’s to Ubuntu:

sudo add-apt-repository ppa:nginx/main
sudo apt-get update && sudo apt-get install $application

You’ll want to always run apt-get update to pull the lists of available programs to install, and then install the additional program or to upgrade existing programs already installed.

Personal Standards

When I add apt-get lists that are seperate from the standard or even non-standard Ubuntu Lists and Libraries, such as NGINX’s lists, nodesource lists for Node and NPM, etc., I have them in seperate, short lists.

The directory tree breakdown is as follows:

├── mono-xamarin.list
├── nginx-amplify.list
├── nginx-ubuntu-development-xenial.list
├── nodesource.list
└── ondrej-ubuntu-php-xenial.list

This way, removing specific repo items is MUCH easier.