Re: VirtualBox key is store in deprecated legacy keyring

[Jeffrey Walton <noloader@gmail.com>]

On Mon, Jun 19, 2023 at 11:15 PM Rick Thomas <rick.thomas@pobox.com> wrote:
>
> I recently upgraded one of my Debian Bullseye machines to Bookworm.  The machine's main purpose is to run Virtualbox to allow me to experiment on disposable VMs rather than real hardware.
>
> Now when I do "apt update" I get this message:
>     .W: https://download.virtualbox.org/virtualbox/debian/dists/bullseye/InRelease: Key is stored in legacy trusted.gpg
>                keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
>
> I've thoroughly RTFM in search of a clue as to how to fix this, but I can't figure out what I'm supposed to do.
>
> Has anybody else seen this?  If so, what did you do?  And did it help?

I _think_ the key should be stored in its own file under
/etc/apt/trusted.gpg.d. Maybe something like
/etc/apt/trusted.gpg.d/virtual-box.gpg.

Also see https://wiki.debian.org/SecureApt and the part:

    apt-key is a program that is used to manage a keyring of OpenPGP keys
    for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg
    (not to be confused with the related but not very interesting
    /etc/apt/trustdb.gpg). apt-key can be used to show the keys in the
    keyring, and to add or remove a key. In more recent Debian GNU/Linux
    versions (Wheezy, for example), the keyrings are stored in specific
    files all located in the /etc/apt/trusted.gpg.d directory. For example,
    that directory could contain the following files:
    debian-archive-squeeze-automatic.gpg or
    debian-archive-wheezy-automatic.gpg. Incidentally, both files are
    provided by the debian-archive-keyring package.

Jeff