Ubuntu: fix apt warning for Dropbox with key in legacy keyring

If you have Dropbox installed on your Linux desktop and have recently started seeing this warning message from apt:

http://linux.dropbox.com/ubuntu/dists/disco/Release.gpg: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details

This can be resolved by adding the Dropbox PGP key to the ‘signed-by’ of the apt repo definition (as described on the forums).  Below are the exact CLI commands.

Get the latest Dropbox PGP key

remote_key_file=https://linux.dropbox.com/fedora/rpm-public-key.asc

# validate same ownership as original, and newer expiration date
sudo apt install pgpdump -y
curl -s $remote_key_file | pgpdump | grep -E "User ID -|expiration" -A1

# save new PGP key
curl -s $remote_key_file | sudo tee /usr/share/keyrings/dropbox.asc
sudo chmod 644 /usr/share/keyrings/dropbox.asc

Edit Dropbox apt repo definition

Then find and edit the file that contains the Dropbox apt repo definition.

domain=linux.dropbox.com
sudo grep -srl $domain /etc/apt | grep -v save
sudo vi <theFoundFile>

There is no need to change your current definition, except to add the ‘signed-by=/usr/share/keyrings/dropbox.asc’ as shown in the example below.

deb [arch=i386,amd64 signed-by=/usr/share/keyrings/dropbox.asc] http://linux.dropbox.com/ubuntu disco main

 

REFERENCES

dropboxforum, shows how to resolve issue

dropbox, Linux .deb download

cirwin.in, online PGP decoder

askubuntu.com, similar problem but for digital ocean deb also shows how to delete legacy

askubuntu.com, script for finding all legacy keys and converting to new format

askubuntu.com, finding the signing key for a ppa launchpad

itfoss.com, explanation of legacy keyrings, dearmor, etc

NOTES

Harder way to get latest PGP key is extract from latest .deb

# download latest Dropbox .deb
mkdir dbox
cd dbox
wget https://www.dropbox.com/download?dl=packages/ubuntu/dropbox_2020.03.04_amd64.deb

# extract files from deb using 'ar' utility
sudo apt install binutils -y
ar xf dropbox_2020.03.04_amd64.deb
tar xvfz control.tar.gz

# grab PGP key from 'postinst' file, copy to keyrings location
sed -ne '/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/-----END PGP PUBLIC KEY BLOCK-----/p' postinst | tee dropbox.asc
sudo cp dropbox.asc /usr/share/keyrings/dropbox.asc

(Optional) Delete from legacy keyring
After adding the ‘signed-by’ above, apt should no longer output warning messages.  If you want to go a step further and remove the key from the legacy keyring, below are the commands.

# find legacy key id
apt-key list | grep dropbox -B1
key_hexid=$(apt-key list | grep dropbox -B1 | head -n1 | tr -d ' ')

# validate it is one belonging to dropbox, then delete from legacy keyring
sudo apt install pgpdump -y
apt-key export ${key_hexid: -8} | pgpdump | grep -i dropbox
sudo apt-key del ${key_hexid: -8}

# apt should not show any warning messages
sudo apt update

Finding latest Dropbox PGP key

Searching duckduckgo.com with the following expression yields python file that contains PGP key as well as referencing its existence at https://linux.dropbox.com/fedora/rpm-public-key.asc

site:linux.dropbox.com apt "BEGIN PGP PUBLIC KEY BLOCK"