Questa è la procedura standard e riutilizzabile per qualsiasi repository APT moderno quando scade (o ruota) una chiave.
Quando vedi errori tipo:
- EXPKEYSIG
- NO_PUBKEY
- warning su apt-key deprecato
NON si usa più apt-key
SI usa sempre:
- keyring dedicato
- repo con signed-by=
- chiavi globali solo se legacy inevitabile
----
Prerequisiti (una tantum)
apt-get update
apt-get install -y ca-certificates curl gnupg1) Scarica la chiave e crea un keyring dedicato
curl -fsSL <URL_CHIAVE> | gpg --dearmor \
> /usr/share/keyrings/<repo>-archive.gpg
chmod 644 /usr/share/keyrings/<repo>-archive.gpg2) Collega il repository alla chiave con signed-by
deb [signed-by=/usr/share/keyrings/<repo>-archive.gpg] <REPO_URL> <dist> <component>3) Test
apt-get update
SURY (PHP) – Fix EXPKEYSIG su Debian 11 (Bullseye)
Prerequisiti
apt-get update
apt-get install -y ca-certificates curl gnupg1) Keyring dedicato
curl -fsSL https://packages.sury.org/php/apt.gpg | gpg --dearmor \
> /usr/share/keyrings/deb.sury.org-php.gpg
chmod 644 /usr/share/keyrings/deb.sury.org-php.gpg2) Repo con signed-by
echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bullseye main" \
> /etc/apt/sources.list.d/php.list3) Update
apt-get update(Opzionale) Disattiva la chiave legacy scaduta in trusted.gpg.d
mv /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg.bak
apt-get update
RSPAMD – Keyring dedicato + signed-by
Prerequisiti
apt-get update
apt-get install -y ca-certificates curl gnupg1) Keyring dedicato
curl -fsSL https://rspamd.com/apt-stable/gpg.key | gpg --dearmor \
> /usr/share/keyrings/rspamd.gpg
chmod 644 /usr/share/keyrings/rspamd.gpg2) Repo con signed-by
echo "deb [signed-by=/usr/share/keyrings/rspamd.gpg] https://rspamd.com/apt-stable/ bullseye main" \
> /etc/apt/sources.list.d/rspamd.list3) Update
apt-get update