Would it be possible to fix deprecated apt-key calls with a script?
1. download a package, 2. download its associated key, 3. open a browser to show me from where the key is downloaded, in order to find the fingerprint of the key, 4. extract the fingerprint from the downloaded key, such that I check the published fingerprint against it and decide, if it is ok. If not: exit. 5. generate a name with ending|*.gpg|for the key under which it shall be stored, which reflects the package for which it is valid, 6. use the file command and grep for "Public Key (old)" and decide whether the provided key has to be|--dearmor|ed or not when it is stored in|/etc/apt/keyrings|(the directory which was advised when I read the article), 7. creates a proper file with a name ending in|.list|to|/etc/apt/sources.list.d|. The file name should be similar to the corresponding|*.gpg|file. The script should write the proper content to this file. If I got it right, the line|deb [signed-by=<.gpg file in /etc/apt/keyrings>] https://<URL from where package has been downloaded> stable main|plays the key role in the solution. 8. Delete the old insecure key which was added by|apt-key|.Or would this be insufficient? Keys in the key ring /etc/apt/trusted.gpg show an uid [ unknown ]. Does this prevent establishing the right realtion between keys and packages?
OpenPGP_0x07C3FA21AE77B98E.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
