What the Legacy Keyring Warning Actually Means
If Update Manager on Linux Mint is throwing a warning like "Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details", don't panic — your system isn't broken, and your updates aren't being blocked by malware or a security breach. This is APT (Advanced Package Tool) telling you that one or more of your repository signing keys still live in the old, monolithic /etc/apt/trusted.gpg file instead of the newer per-file keyring format under /etc/apt/trusted.gpg.d/.
Historically, every PPA (Personal Package Archive) or third-party repository you added would dump its GPG public key into a single shared file: trusted.gpg. That approach was easy to break — if one key file was corrupted or a package removed keys incorrectly, it could affect every other repository's trust chain at once. Modern APT (and the underlying apt-key command it used to rely on) has deprecated this global keyring in favor of individual .gpg files, each scoped to a single repository, stored in /etc/apt/trusted.gpg.d/.
The warning shows up because apt-key itself is deprecated in current Debian/Ubuntu-based releases, and Linux Mint (built on Ubuntu's package base) inherited this same warning behavior. It typically appears when you:
- Run
sudo apt updateorsudo apt upgradefrom a terminal - Open the graphical Update Manager and it fails a repository refresh
- Have added PPAs manually with
apt-key addin the past (common on Mint 19.x/20.x systems upgraded to 21.x+)
The good news: in almost every case, your updates still work — this is a deprecation warning, not a hard failure. But leaving it unresolved means a future Ubuntu/Debian base update could eventually stop honoring trusted.gpg altogether, silently breaking updates for the affected PPA. It's worth fixing now while you have full control over which key goes where.
Quick Fix: Migrate Keys via Software Sources > PPAs
The safest and easiest fix on Linux Mint 21.1 and newer doesn't touch the terminal at all. Mint's Software Sources tool can re-import a PPA's key into the correct modern format automatically when you remove and re-add the repository. This works because when a PPA is added through the GUI, Mint's backend fetches a fresh key and stores it directly in /etc/apt/trusted.gpg.d/ rather than the legacy file.
- Open the Menu and search for "Software Sources" (or run
sudo software-properties-gtkfrom a terminal). - Enter your password when prompted — this tool needs root access to edit repository files.
- Click the PPAs tab. You'll see a list of every third-party PPA currently registered on your system.
- Note down (screenshot or write down) the exact PPA addresses shown, e.g.
ppa:something/something. - Select each PPA one at a time and click Remove. Repeat until the list is empty (or until only the ones tied to the warning remain — see Method 3 below for identifying exactly which PPA is at fault).
- Click Add and re-enter each PPA address exactly as it was before. Mint will re-fetch the key using the modern method and store it correctly.
- Close Software Sources, then run:
sudo apt update
If the warning is gone, you're done. This method is safe because it doesn't delete any packages — only the repository index and key are touched, not the software you've already installed from that PPA.
Method 2: Manually Move Keys to trusted.gpg.d
If you'd rather not remove and re-add PPAs (for example, if you're not sure which PPA a key belongs to, or the GUI method didn't clear the warning), you can migrate keys manually from the terminal. This is more precise but requires a bit more care.
First, list the keys currently sitting in the legacy keyring:
sudo apt-key list
This prints every key with its fingerprint and the associated repository/uid comment (e.g. "Launchpad PPA for ..."). Note the key ID (the last 8-16 characters of the fingerprint) for the key causing the warning.
Next, export that specific key into its own file inside the modern directory:
sudo apt-key export KEYID | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/KEYNAME.gpg > /dev/null
Replace KEYID with the key ID from the previous step, and KEYNAME with something descriptive (e.g. myppa-repo). Verify the new file was created and is readable:
gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/KEYNAME.gpg --list-keys
Once you confirm the key appears correctly in its own file, remove it from the legacy keyring so APT stops flagging it:
sudo apt-key del KEYID
Repeat this export-then-delete process for every key listed in apt-key list that's tied to a PPA you still use. Once trusted.gpg is empty (or only contains Mint/Ubuntu's own default keys, which are already handled separately), run:
sudo apt update
and confirm the warning no longer appears. If you're not fully confident identifying which key belongs to which PPA, the GUI method in the previous section is safer and less error-prone.
Method 3: Remove and Re-add Problem PPAs
Sometimes the warning message itself doesn't tell you which PPA is responsible — it just references the legacy keyring file in general. To pinpoint the exact offending source, run:
sudo apt update 2>&1 | grep -B2 "legacy trusted.gpg"
This shows the repository line immediately above each warning, which usually includes the PPA's URL (something like http://ppa.launchpad.net/username/ppa-name/ubuntu). Once you've identified the exact PPA:
- Remove it via terminal:
sudo add-apt-repository --remove ppa:username/ppa-name
- Re-add it fresh:
sudo add-apt-repository ppa:username/ppa-name
This forces APT to re-fetch and re-store the signing key using the modern per-repo keyring format automatically. If the PPA no longer exists or the maintainer has abandoned it (common with older Mint 19/20 PPAs that were never updated for newer Ubuntu bases), consider leaving it removed entirely rather than re-adding it — an unmaintained PPA is itself a security and update-breakage risk, separate from the keyring warning.
After re-adding, always run sudo apt update to confirm both that the warning is gone and that the repository still resolves packages correctly for your Mint version's Ubuntu base.
Method 4: Clean Up APT Cache and Refresh
Keyring warnings are sometimes accompanied by unrelated dependency or cache corruption issues, especially on systems that have been upgraded across multiple Mint releases (e.g. 19 → 20 → 21). Before you conclude the keyring migration didn't work, it's worth clearing out stale APT state:
sudo dpkg --configure -a
sudo apt-get install -f
sudo apt-get clean
sudo apt-get update
Here's what each command does:
sudo dpkg --configure -a— finishes any package installations that were interrupted or left half-configured.sudo apt-get install -f— repairs broken package dependencies.sudo apt-get clean— clears the local package cache in/var/cache/apt/archives, forcing fresh downloads next time.sudo apt-get update— refreshes all repository indexes and re-checks all keys, including any you just migrated.
Run these in order after completing whichever keyring migration method you chose above. If the warning still appears after all four steps, double-check that you didn't miss a PPA — rerun sudo apt-key list (if still available on your system) or check /etc/apt/sources.list.d/ for leftover .list files referencing repositories you thought you'd removed.
If you're managing keyring or repository issues across a fleet of Mint or Ubuntu desktops and don't want to chase this manually on every machine, CloudHouse Technologies' pay-per-ticket Linux support can handle the migration and cache cleanup remotely so your update pipeline stays reliable without recurring subscription costs.
Frequently Asked Questions
Is the "legacy trusted.gpg keyring" warning dangerous or a sign of a hacked system?
No. It's purely a deprecation notice from APT about where a repository's signing key is stored, not an indication of compromise. Your package signatures are still being verified correctly — the warning just flags that the storage format is outdated and should be migrated before future APT/Ubuntu base updates potentially stop supporting it.
Will removing a PPA and re-adding it delete software I've already installed?
No. Removing a PPA only removes its repository listing and signing key from APT's sources — it does not uninstall packages you've already installed from that PPA. Those packages remain on your system; you simply won't get further updates for them until you re-add the PPA.
What if apt-key is no longer available on my Linux Mint version?
Some newer Ubuntu base releases have started removing apt-key entirely. If sudo apt-key list returns "command not found," use the GUI Software Sources method (Method 1) instead, or manually inspect /etc/apt/trusted.gpg with gpg --list-packets /etc/apt/trusted.gpg to identify key details for manual export with plain gpg commands.
Can I just delete /etc/apt/trusted.gpg entirely to silence the warning?
Only after you've confirmed every key inside it has been migrated to /etc/apt/trusted.gpg.d/ or belongs to a repository you no longer use. Deleting it prematurely will cause APT to reject packages from any PPA whose key hasn't been migrated yet, resulting in "NO_PUBKEY" errors on your next update.
Why does this warning keep coming back after I fix it once?
This usually means a PPA is still configured to add its key to the legacy file, or the migration missed a key still present in trusted.gpg. Re-run sudo apt-key list to confirm the file is empty (or only contains Mint's own default distribution keys), and check /etc/apt/sources.list.d/ for duplicate or leftover repository entries pointing at the same PPA.
