APT-related question about GPG key rotation

Hey guys,

on Debian I ran into an APT error and recognised Grafana Labs update regarding CircleCI security updates | Grafana Labs.

To update the key, I first did the steps I always do, which basically match the steps documented here: https://apt.grafana.com/

  1. Download the .key
  2. Convert it via gpg --dearmor into a .gpg

However, APT reports:

The key(s) in the keyring /path/to/grafana.gpg are ignored as the file has an unsupported filetype.

I guess with apt-key add (deprecated) it would result in the same invalid key.

What does work, is leaving the .key file untouched and add it like that as signing key to the repo via

[signed-by=/path/to/grafana.key] 

as documented in the blog post itself.

I never saw a case where the armored .key is used for APT authentication. Investigating why --dearmor does not create a valid key, I recognised that a second contained “revocation certificate” in the key is causing the issue. Removing it allows gpg --dearmor to create a valid .gpg key.

I’m not sure whether there is a specific reason for the way this is all done. Revoking a key in APT, AFAIK, cannot be done that way but simply requires to apt-key del the key or remove/replace the file. To preserve the common method and still documented way of adding APT keys, I suggest to remove the revocation certificate from the .key file and in case add it with a dedicated file, if this has use in other cases than APT.

The revocation key was removed from https://apt.grafana.com/gpg.key and gpg --dearmor does hence now work without issues. Thanks guys :+1:.