One of the steps at https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository is to add Docker’s official GPG key like this:
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
However, the last part generates the following warning (at least on Ubuntu 20.10):
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Maybe it is time to use trusted.gpg.d as suggested by the warning?
Same here
I'm experiencing the same issue, with the additional problem that when I try to manually add the gpg file to /etc/apt/trusted.gpg.d/docker.gpg and then run sudo apt update I get this error:
The key(s) in the keyring /etc/apt/trusted.gpg.d/docker.gpg are ignored as the file has an unsupported filetype.
...with of course loads of other errors from not having a valid key.
This worked for me
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/docker-apt-key.gpg add
Also, if you are using groovy , you should try focal instead.
Hi @devs-saifur-rahman, thanks for this tip. I was stuck in the same point and it helped me to progress with the install. This may be a good update to be done in the docs. EDIT: I will try to make some time to check if I can do it and submit it.
apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04
Although adding keys directly to /etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to /usr/share/keyrings and referenced with the signed-by option in the source.list.d entry.
# Adding an ASCII Armored key (.asc key)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
gpg --dearmor | \
sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \
/dev/null
# Or if you prefer a one-liner
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null
# Breakdown of each part
#
# curl downloads the key
# gpg --dearmor creates a binary .gpg because /usr/share/keyrings cannot take .asc keys
# sudo tee because we get permission denied if we try redirect the output of a sudo command
# /dev/null we don't need to see the dearmored keyring on the console
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
sudo tee /etc/apt/sources.list.d/docker-ce.list > \
/dev/null
# Of if you prefer a one-liner
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
With the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)
@denis-roy, are these commands same for Debian distribution as well..? [just by replacing ubuntu => debian]
Facing the same issue, while trying to install docker
sorry if it sounds too stupid, I'm new to Docker.
apt-key is deprecated and will not be available after Debian 11 / Ubuntu 22.04
Although adding keys directly to
/etc/apt/trusted.gpg.d/ is suggested by apt-key deprecation message, as per Debian Wiki GPG keys for third party repositories should be added to/usr/share/keyringsand referenced with thesigned-byoption in the source.list.d entry.ADD A KEY
# Adding an ASCII Armored key (.asc key) curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \ gpg --dearmor | \ sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > \ /dev/null # Or if you prefer a one-liner curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null # Breakdown of each part # # curl downloads the key # gpg --dearmor creates a binary .gpg because /usr/share/keyrings cannot take .asc keys # sudo tee because we get permission denied if we try redirect the output of a sudo command # /dev/null we don't need to see the dearmored keyring on the consoleADD REPOSITORY AS A SOURCE IN /etc/apt/sources.list.d/
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker-ce.list > \ /dev/null # Of if you prefer a one-liner echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/nullWith the above in place, you're ready for the transition away from apt-key to whatever will come next, with the added bonus of Debian's security best practices. :)
@vieee, the procedure is the same for Debian 9 (Stretch) / Ubuntu 16.04 (Xenial) onward. For more information, refer to PR #11990
Here are the commands you need to execute to install Docker on Debian
:warning: Make sure you copy paste the commands, we are all prone to typos! :)
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
What group of fools decided to deprecate something without first having a replacement or even a suggested replacement, or EVEN DOCUMENTING THIS HORSESHIT????
@AkashicSeer, please remain civil.
Deprecated means you can still use the tool but its usage is discouraged. The way Debian has decided to deal with third-party keys and repositories is well documented in their Wiki.
The apt-key tool will only disappear in an OS version due to be released somewhere in 2022. When this time comes, nobody is forcing you to upgrade to this version of the OS if you want to carry on using apt-key for as long as you wish.
Simply put: Nobody is forcing you to change and if you want to change, there is plenty of time to comply.
Hint: You might want to change. The proposed way is much more secure: It assign a specific key to a specific repository as opposed to now where any package is checked against any key in your keyring.
The group of fools you are referring to is a large body of able open source developers who work mostly without pay to provide the world with a free operating system that anybody, and that includes you, is at complete liberty to use... Or not.
If you feel you can contribute ideas or code towards a better way to manage third-keys and repository, as we say in the open source world: Pull Requests are welcome.
To install Docker for Kali 2020.1 debian amd64 run the following:
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null
then:
echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list
2.
sudo apt-get update
3.
sudo apt-get install docker-ce
It worked for me by Hard coding.
@Pema-Sereka, hardcoding amd64 and buster might work for you but will fail for those who try to install Docker on a x86 or armel/armhf distribution of Kali
Evaluating $(dpkg --print-architecture) and $(lsb_release -cs) in the following command ensures a wider coverage :)
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] \
https://download.docker.com/linux/debian $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
@denis-roy,
Yeah, sure. I had tried all but failed but when I hard coded for Kali debian 2020.1 amd64 it worked. I just was offering a solution to the reported error which was similar to what I had.
@denis-roy Apparently the dependency of GnuPG (gnupg-agent) is unnecessary. You can do this:
curl -fsSL https://download.docker.com/linux/debian/gpg \
| sudo tee /usr/share/keyrings/docker-ce-archive-keyring.asc > /dev/null
Note the file extension .asc for ASCII-format (“armored” in GnuPG term) key file. Of course the source.list should be updated correspondingly. This is tested on Debian Buster; didn’t test on Ubuntu though.
If you're killing the output to stdout that tee generates, then you shouldn't be using tee at all. Also, for user installed packages (not distribution controlled packages), you shouldn't be using
/usr/share/.... You should either be using/etc/...or/usr/local/....Something like:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor > /etc/apt/trusted.gpg.d/docker-ce-archive-keyring.gpgshould do the trick. Fewer fork/execs, fewer redirections, less entropy consumed in the system overall, removed a call for a program that you're "neutering" etc. One should always strive to consume fewer computing resources and this "ancient art" should never be disregarded, despite computers being "fast enough".
That's unlikely to work, because sudo has no effect on redirections. The redirection happens in the current shell before sudo is invoked. It will only "work" if the current user already has the right permissions to write to the file. If you need sudo for it, you have to use tee.
$ echo 'whatever' >> root_only/file
-ash: can't create root_only/file: Permission denied
$ sudo echo 'whatever' >> root_only/file
-ash: can't create root_only/file: Permission denied
I think the correct way is:
$ sudo touch /etc/apt/trusted.gpg.d/docker.gpg
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/docker.gpg --import -
As stated earlier, the proposal comes from the Debian Wiki, not from me :)
@FranklinYu - They go with binary signatures (.gpg) instead of ASCII Armored ones (.asc) to avoid some error vectors and to maintain interoperability with SecureAPT which requires .gpg sigs
@jinliming2 - There are plenty of acceptable ways to deal with this, I just chose to propose the most standard, Debian-compliant way I could find
For further discussions, visit PR #11990
@denis-roy
Cutting and pasting your instructions above fail with the same error on Ubuntu 20.10 and a brand new install of Ubuntu 20.04 LTS. Here is my output from 20.04:
jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20210119~20.04.1).
curl is already the newest version (7.68.0-1ubuntu2.4).
apt-transport-https is already the newest version (2.0.4).
gnupg-agent is already the newest version (2.2.19-3ubuntu2.1).
0 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
jon@Ubuntu-Fossa:~/Desktop$ curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-ce-archive-keyring.gpg > /dev/null
jon@Ubuntu-Fossa:~/Desktop$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable"| sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get update
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Ign:4 https://download.docker.com/linux/debian focal InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Get:6 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Hit:7 https://download.sublimetext.com apt/stable/ InRelease
Err:8 https://download.docker.com/linux/debian focal Release
404 Not Found [IP: 99.84.233.150 443]
Reading package lists... Done
E: The repository 'https://download.docker.com/linux/debian focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
jon@Ubuntu-Fossa:~/Desktop$ sudo apt-get install docker-ce docker-ce-cli containerd.io
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package docker-ce is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package 'docker-ce' has no installation candidate
E: Unable to locate package docker-ce-cli
E: Unable to locate package containerd.io
E: Couldn't find any package by glob 'containerd.io'
E: Couldn't find any package by regex 'containerd.io'
@Jon-Biz From the look of it, you are trying to follow Debian's installation procedure on Ubuntu.
E: The repository 'https://download.docker.com/linux/debian focal Release' does not have a Release file.
There is no release of Debian named focal. Debian release names (buster, sid, etc) and Ubuntu release names (groovy, focal, etc) don't mix :)
Following the installation procedure for Ubuntu will undoublty yield the desired results:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-ce-archive-keyring.gpg
````
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-ce-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker-ce.list > /dev/null
or you could very well just edit the source directly:
nano /etc/apt/sources.list.d/docker-ce.list
``
to replacedebianbyubuntu, save, close and then runapt update` again
Thank you for your reply. I have resolved my problems.
Fwiw, attempting to add the docker-ce-archive-keyring.gpg to my keyrings directory failed with a 'Permission denied' error. I was able to resolve this by sudo ing gpg:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-ce-archive-keyring.gpg
They go with binary signatures (.gpg) instead of ASCII Armored ones (.asc) to avoid some error vectors and to maintain interoperability with SecureAPT which requires .gpg sigs
@denis-roy Would you mind sharing more about this? The only place I found about the requirement is a very brief note at DebianRepository/UseThirdParty; I can’t find the relevant description at the SecureApt page.
By the way, I tried the armored file on my virtual machine (Debian Buster), and APT didn’t complain. Is SecureApt opt-in?
@FranklinYu, unfortunately I estimate my understanding to be limited to a little more than what is mentioned in that DebianRepository/UseThirdParty Wiki and wouldn't want to mislead you. You might want to open a discussion or take part in an already open one on that specific Debian Wiki though :)
Most helpful comment
This worked for me
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/docker-apt-key.gpg addAlso, if you are using groovy , you should try focal instead.