on Debian I ran into an APT error and recognised Grafana Labs update regarding CircleCI security updates | Grafana Labs.
To update the key, I first did the steps I always do, which basically match the steps documented here: https://apt.grafana.com/
- Download the
- Convert it via
gpg --dearmorinto a
However, APT reports:
The key(s) in the keyring /path/to/grafana.gpg are ignored as the file has an unsupported filetype.
I guess with
apt-key add (deprecated) it would result in the same invalid key.
What does work, is leaving the
.key file untouched and add it like that as signing key to the repo via
as documented in the blog post itself.
I never saw a case where the armored
.key is used for APT authentication. Investigating why
--dearmor does not create a valid key, I recognised that a second contained “revocation certificate” in the key is causing the issue. Removing it allows
gpg --dearmor to create a valid
I’m not sure whether there is a specific reason for the way this is all done. Revoking a key in APT, AFAIK, cannot be done that way but simply requires to
apt-key del the key or remove/replace the file. To preserve the common method and still documented way of adding APT keys, I suggest to remove the revocation certificate from the
.key file and in case add it with a dedicated file, if this has use in other cases than APT.