Distro-Specific ubuntu Updated Jun 27, 2026

Fixing EXPKEYSIG on Ubuntu and Debian: The Modern Way

Why apt-key is deprecated and how to use the signed-by keyring method instead, with full working examples.

apt-key is deprecated

Since Debian 11 and Ubuntu 22.04, apt-key is deprecated in favor of storing keys as individual files in /usr/share/keyrings/ and referencing them explicitly in your sources.list entries with [signed-by=...].

The recommended pattern

curl -fsSL https://example.com/key.asc | gpg --dearmor | sudo tee /usr/share/keyrings/example.gpg
echo "deb [signed-by=/usr/share/keyrings/example.gpg] https://example.com/repo stable main" | sudo tee /etc/apt/sources.list.d/example.list
sudo apt-get update

Why this is better

Each repository's trust is scoped to its own key file rather than a single shared keyring trusted by every repo on the system. A compromised key only affects the repo it's tied to.

Tags: ubuntu debian apt

Try the Command Builder All Guides