apt-key is deprecated

[ChillerDragon]

the wiki mentions

wget -q https://wire-app.wire.com/linux/releases.key -O- | sudo apt-key add -

Which throws a warning on my system (debian 12)

$  wget -q https://wire-app.wire.com/linux/releases.key -O- | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

[RogueScholar]

Good catch. I'd just update the wiki with this myself, but since it's locked down, here's how that page should read to reflect current APT best practices (including the transition to DEB822 sources files). A copy of the raw Markdown used to create this post is included at the bottom of this post for convenient copying and pasting in the Wiki by someone with the necessary permissions to do so.

1. Ensure that the packages needed to securely access our repository and validate its signatures are installed:

   sudo apt --install-suggests --update --yes install apt-transport-https debsig-verify software-properties-common

2. Import our PGP package signing key into an APT keyring so our repository can be trusted as a package source:

   sudo mkdir -pv /etc/apt/keyrings
   wget -O- "https://wire-app.wire.com/linux/releases.key" | sudo gpg --batch --no-default-keyring \
     --keyring /etc/apt/keyrings/wireapp.gpg --import -
   sudo chmod -c 0644 /etc/apt/keyrings/wireapp.gpg

3. Make a copy of our bare package signing key from the new APT keyring file for debsig-verify to use:

   sudo mkdir -pv /usr/share/debsig/keyrings/D599C1AA126762B1
   sudo gpg --batch --no-default-keyring --keyring /etc/apt/keyrings/wireapp.gpg \
     --output /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg \
     --export ABBA007D6E14E2DB5B283C45D599C1AA126762B1
   sudo chmod -c 0644 /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg

4. Create a DEB822-style .sources file in /etc/apt/sources.list.d for APT to add our repository as a source:

   echo 'Enabled: yes
   Types: deb
   Architectures: amd64
   Signed-by: /etc/apt/keyrings/wireapp.gpg
   URIs: https://wire-app.wire.com/linux/debian
   Suites: stable
   Components: main' | sudo tee /etc/apt/sources.list.d/wireapp.sources >/dev/null
   sudo chmod -c 0644 /etc/apt/sources.list.d/wireapp.sources

5. Create a debsig policy file to block the installation of any wire-desktop package not signed by us:

   sudo mkdir -pv /etc/debsig/policies/D599C1AA126762B1
   echo '<?xml version="1.0"?>
   <!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
   <Policy xmlns="https://www.debian.org/debsig/1.0/">
     <Origin Name="Wire" id="D599C1AA126762B1" Description="Secure synchronous messaging application" />
     <Selection>
       <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
     </Selection>
     <Verification MinOptional="0">
       <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
     </Verification>
   </Policy>' | sudo tee /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol >/dev/null
   sudo chmod -c 0644 /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol

6. Install the Wire desktop app using APT (after first updating its available packages list):

   sudo apt --update --yes install wire-desktop

Raw Markdown of updated Wiki documentation (click to expand)

…

1. Ensure that the packages needed to securely access our repository and validate its signatures are installed:

   ```sh
   sudo apt --install-suggests --update --yes install apt-transport-https debsig-verify
   ```

2. Import our PGP package signing key to allow APT to trust our repository and the packages in it:

   ```sh
   sudo mkdir -pv /etc/apt/keyrings
   wget -O- "https://wire-app.wire.com/linux/releases.key" | sudo gpg --batch --no-default-keyring \
     --keyring /etc/apt/keyrings/wireapp.gpg --import -
   sudo chmod -c 0644 /etc/apt/keyrings/wireapp.gpg
   ```

3. Make a copy of our bare package signing key for `debsig-verify` from the new APT keyring file:

   ```sh
   sudo mkdir -pv /usr/share/debsig/keyrings/D599C1AA126762B1
   sudo gpg --batch --no-default-keyring --keyring /etc/apt/keyrings/wireapp.gpg \
     --output /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg \
     --export ABBA007D6E14E2DB5B283C45D599C1AA126762B1
   sudo chmod -c 0644 /usr/share/debsig/keyrings/D599C1AA126762B1/debsig.gpg
   ```

4. Create a DEB822-style .sources file in `/etc/apt/sources.list.d` for APT to add our repository as a source:

   ```sh
   echo 'Enabled: yes
   Types: deb
   Architectures: amd64
   Signed-by: /etc/apt/keyrings/wireapp.gpg
   URIs: https://wire-app.wire.com/linux/debian
   Suites: stable
   Components: main' | sudo tee /etc/apt/sources.list.d/wireapp.sources >/dev/null
   sudo chmod -c 0644 /etc/apt/sources.list.d/wireapp.sources
   ```

5. Create a debsig policy file to block the installation of any `wire-desktop` package not signed by us:

   ```sh
   sudo mkdir -pv /etc/debsig/policies/D599C1AA126762B1
   echo '<?xml version="1.0"?>
   <!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
   <Policy xmlns="https://www.debian.org/debsig/1.0/">
     <Origin Name="Wire" id="D599C1AA126762B1" Description="Secure synchronous messaging application" />
     <Selection>
       <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
     </Selection>
     <Verification MinOptional="0">
       <Required Type="origin" File="debsig.gpg" id="D599C1AA126762B1" />
     </Verification>
   </Policy>' | sudo tee /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol >/dev/null
   sudo chmod -c 0644 /etc/debsig/policies/D599C1AA126762B1/wire-desktop.pol
   ```

6. Install the Wire desktop app using APT (after first updating its available packages list):

   ```sh
   sudo apt --update --yes install wire-desktop
   ```

…

[ChillerDragon]

@RogueScholar cool thanks for looking into this. Are all those steps needed? Seems to be more than what I am used to. As a new user I would be intimidated by 6 walls of commands to install a program.