What to do with apt warnings “Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg)”

Debian is changing way how it store GPG keys for repositories. Keeping them all in /etc/apt/trusted.gpg is now deprecated. You will get warnings for all repo keys you added via apt-key add command.

W: http://apt.syncthing.net/dists/syncthing/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

How to fix:

1. List keys in your system

    root@linux #  apt-key list
    Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
    /etc/apt/trusted.gpg
    --------------------
    pub   rsa2048 2014-12-29 [SC]
          37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E
    uid           [ unknown] Syncthing Release Management <[email protected]>
    sub   rsa2048 2014-12-29 [E]
    sub   rsa4096 2015-05-11 [S] [expires: 2025-05-08]
   
    --- next key --
   

2. Find key apt is complaining. In this example it will be syncthing repo. Note key id, for syncthing it is 37C8 4554 E7E0 A261 E4F7 6E1E D26E 6ED0 0065 4A3E
3. Export GPG key to a file in /usr/share/keyrings/ directory. You can also add it to /etc/apt/trusted.gpg.d/, but it make it trusted for all repositories. IMHO it is not optimal. !!! asc extension for filename is important.

    root@linux # apt-key export "37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E" >  /usr/share/keyrings/syncthing-archive-keyring.asc
   

4. Remove the key from trusted.gpg keyring

    root@linux #  apt-key del "37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E"
    Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
    OK
   

5. edit apt sources for that particular repo to use key we just exported. Syncthing repo is configured in /etc/apt/sources.list.d/syncthing.list in my case. Just add [signed-by=] to deb line.

    root@linux # cat /etc/apt/sources.list.d/syncthing.list
    deb  [signed-by=/usr/share/keyrings/syncthing-archive-keyring.asc] http://apt.syncthing.net/ syncthing release
   

6. Repeat for all remaining keys.
7. Run apt update. It should be no more warnings.

P.S. It maybe good time to remove or better convert all unused GPG keys from /etc/apt/trusted.gpg