What is apt-key ?

posted on
by Mohamad Wael

Each distribution has a release file which contains indices of binary and source packages that can be installed from this distribution . apt-key is used to add , delete , list , and export public keys used by apt to verify the signature of a release file .

If a public key for a distribution does not exist , then apt will fail to verify the signature of its release file , and it will issue an error . The downloaded release file is then disregarded , and apt will use the previous indices of binary and source packages gotten from this distribution , if they exist.

apt-key : How verification works , Listing the distributions installed public keys , Adding the public key of a distribution , Deleting the public key of a distribution .

How verification works ?

A distribution source , the location from which we are going to download its release file , can either be located in the file /etc/apt/sources.list or in the directory /etc/apt/sources.list.d/ .

# example of the content of /etc/apt/sources.list 			

# buster distribution 
# main component 
# authored by the debian project
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main

# buster distribution 
# security updates  
# main component 
# authored by the debian project security team
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main

# buster-updates distribution extension 
# main component 
# authored by the debian project        
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main

# buster distribution
# main component 
# authored by winehq
deb https://dl.winehq.org/wine-builds/debian/ buster main 

# stable  distribution
# main component 
# authored by microsoft
deb https://packages.microsoft.com/repos/vscode stable main
					

The public keys used to verify a distribution release file can be located either in the /etc/apt/trusted.gpg.d/ directory on in the /etc/apt/trusted.gpg file .

# example of the content of /etc/apt/trusted.gpg.d
# directory.
@debian:/etc/apt/trusted.gpg.d$ ls
# list the content of /etc/apt/trusted.gpg.d/

debian-archive-buster-automatic.gpg
# Public key installed by the 
# debian-archive-keyring package . It can 
# be used to verify the signature of the 
# distribution or the distribution extensions 
# authored by the debian project and which have
# a code name that starts with buster .

debian-archive-buster-security-automatic.gpg
# Public key installed by the 
# debian-archive-keyring package . It can be 
# used to verify the signature of the
# distribution with a code name of buster
# authored by the debian project security team . 

debian-archive-buster-stable.gpg
# Public key installed by the
# debian-archive-keyring package . It can be 
# used to verify the signature of the 
# distribution with a code name of 
# buster authored by the debian
# project. 

					

When debian is installed , the package debian-archive-keyring is also installed . This package contains public keys which can be used to verify the release files of distributions authored by the debian project .

If the apt-get update command is issued, using the previous /etc/apt/sources.list file , and the public keys in the /etc/apt/trusted.gpg.d directory , then the result will be :

@debian:~$ apt-get update

Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://security.debian.org/debian-security buster/updates InRelease      
Hit:3 http://deb.debian.org/debian buster-updates InRelease                    
Get:4 https://dl.winehq.org/wine-builds/debian buster InRelease [6,259 B]      
Get:5 https://packages.microsoft.com/repos/vscode stable InRelease [3,959 B]
Err:4 https://dl.winehq.org/wine-builds/debian buster InRelease      
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 76F1A20FF987672F
Err:5 https://packages.microsoft.com/repos/vscode stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
Reading package lists... Done
...
					

apt by default , will only accept the release files which are signed , and which have their public key installed . The release files of the distributions authored by the debian project are signed , and have their public keys installed , as such they were successfully downloaded. The release files from winehq and from Microsoft don't have their public keys installed , as such they are disregarded and they have caused apt to issue an error.

Each distribution has a Release , InRelease and Release.gpg files which are located in :

URI/dists/$DIST[/folder]/(Release , Release.gpg , InRelease)
# URI : is a uniform resource identifier , 
#	containing the address of the repository , 
#	for example :
#	http://deb.debian.org/debian/
#	https://packages.microsoft.com/repos/vscode
# dists : is the dists folder under the URI
# $DIST is a folder that has the distribution 
#	suite name or code name for example stable 
#	or buster.
# [/folder] is an optional folder in the 
#    the $DIST folder , for example it can 
#    be updates.
# Release : is a distribution release file. 
#	It has its signature in the Release.gpg 
#	file.
# Release.gpg : is a file that contains the 
#	signature of the Release  file . 
# InRelease : is a distribution release file , 
#	the signature is located inside the file itself.


# e.g 
#	https://deb.debian.org/debian/dists/stable/Release 
#	https://deb.debian.org/debian/dists/stable/InRelease
#	https://deb.debian.org/debian/dists/stable/Release.gpg 
					

The Release file has its signature located inside the Release.gpg file whereas the the InRelease file has its signature inside.

# https://packages.microsoft.com/repos/vscode/dists/stable/Release.gpg
# Example of Release.gpg file from the stable distribution
# authored by microsoft .		
# The Release.gpg file contains the signature for the 
# Release file.
-----BEGIN PGP SIGNATURE-----
Version: BSN Pgp v1.0.0.0

iQEcBAABCAAGBQJeHww5AAoJEOs+lK2+EinP1fQH/iwVUzvF7WJyQO95Ps6f4iGV
EgaEWtWohTQZejVJP4GtuN1OnrUB+ttLS/hF89LB83Z9UM7Bs897bqHMrho4MI04
exm76vTWVmgRWnjuNAe3+BNDEBsVQALKhrOKHg5Ch7ASUkKKD6J9mFNjsBJZEet3
kjnLbdocJboX8MHLVHMp1SU0iCuyhyn0oHzTA+TMpO7ENj3wxdN93fCzhYtRcq8p
8oMz/aR8Sl5lo3Y/nFyRqVu018WlgoKhdRnoEgQTqSZHOLxeLXI+2KShwyruKS1Z
jG9LI78YfIYQrVFuuiy8nKtVJrxtWGo9bGZfdTgfG7zFTee0oQljNfbATPbIbVc=
=SPW1
-----END PGP SIGNATURE-----


# https://packages.microsoft.com/repos/vscode/dists/stable/Release
# Example of Release file from the stable distribution
# authored by microsoft .				
# The signature of this Release file is located inside the 
# Release.gpg file .
Origin: vscode stable
Label: vscode stable
Suite: stable
Codename: stable
Date: Wed, 15 Jan 2020 12:57:08 UTC
Architectures: amd64
Components: main
Description: Generated by aptly
MD5Sum:
 8ab7833de9b0b7c8fdc5f4dafd004f87  5821556 Contents-amd64
 c698a25032c743673d96f4b6979f20e6   286333 Contents-amd64.gz
 8ab7833de9b0b7c8fdc5f4dafd004f87  5821556 main/Contents-amd64
 c698a25032c743673d96f4b6979f20e6   286333 main/Contents-amd64.gz
 86921786810a44c60c340dbb5b4015ff  1093930 main/binary-amd64/Packages
 b3b91df3924d9628d6b089766bd0d596   160192 main/binary-amd64/Packages.bz2
 1384193a462fa51e443373e92b56af09   170325 main/binary-amd64/Packages.gz
 4c9ca25b556f111a5536c78df885ad82       95 main/binary-amd64/Release
...
...
SHA512:
 352cfac120c55a3ad5b838da8dbb1bfd5166ae85de5cb43da7600e6356532c582b461aee6417c2213789504398652f1abeffbe04d2fb3786458a42103230354b  5821556 Contents-amd64
 9d227e1290537044bd284f96a18dfd72167132e030a7a8e4ae588e72fbb3348b407088903a67e7dbbd2d50c1e8c606d82b986bce3a391c7c1c5c0580f4376ede   286333 Contents-amd64.gz
 352cfac120c55a3ad5b838da8dbb1bfd5166ae85de5cb43da7600e6356532c582b461aee6417c2213789504398652f1abeffbe04d2fb3786458a42103230354b  5821556 main/Contents-amd64
 9d227e1290537044bd284f96a18dfd72167132e030a7a8e4ae588e72fbb3348b407088903a67e7dbbd2d50c1e8c606d82b986bce3a391c7c1c5c0580f4376ede   286333 main/Contents-amd64.gz
 aa7d98c3a43492ae9dea7ded57f5795054201dc1499170877cc44623d6690f63bef3de0f98022d6c82092fa9d6a864e1cf56cde13adb054253cfd0c60ee6f9ea  1093930 main/binary-amd64/Packages
 28ab463c27d40339f49362d06d5b8ba711941056be5c58891f9ddb390e3bcf9ba7ae341e90176a80b43ffe5e210ee5dbae0d300820ee7ec58b1cdd6ad354238d   160192 main/binary-amd64/Packages.bz2
 34ddebb21dbec11bd3d62e8548711a927f9c3444e559231769d16595501bc982b11937ee0dcc41c595f9daad470916941b92d7d5464fa073cb34f29bd9fed386   170325 main/binary-amd64/Packages.gz
 e1a4378ad266c13c2edf8a0e590fa4d11973ab99ce79f15af005cb838f1600f66f3dc6da8976fa8b474da9073c118039c27623ab3360c6df115071497fe4f50c       95 main/binary-amd64/Release


# https://packages.microsoft.com/repos/vscode/dists/stable/InRelease
# Example of InRelease file from the stable distribution
# authored by microsoft .				
# The signature is located inside the InRelease file.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: vscode stable
Label: vscode stable
Suite: stable
Codename: stable
Date: Wed, 15 Jan 2020 12:57:08 UTC
Architectures: amd64
Components: main
Description: Generated by aptly
MD5Sum:
 8ab7833de9b0b7c8fdc5f4dafd004f87  5821556 Contents-amd64
 c698a25032c743673d96f4b6979f20e6   286333 Contents-amd64.gz
 8ab7833de9b0b7c8fdc5f4dafd004f87  5821556 main/Contents-amd64
 c698a25032c743673d96f4b6979f20e6   286333 main/Contents-amd64.gz
 86921786810a44c60c340dbb5b4015ff  1093930 main/binary-amd64/Packages
 b3b91df3924d9628d6b089766bd0d596   160192 main/binary-amd64/Packages.bz2
 1384193a462fa51e443373e92b56af09   170325 main/binary-amd64/Packages.gz
 4c9ca25b556f111a5536c78df885ad82       95 main/binary-amd64/Release
...
...
SHA512:
 352cfac120c55a3ad5b838da8dbb1bfd5166ae85de5cb43da7600e6356532c582b461aee6417c2213789504398652f1abeffbe04d2fb3786458a42103230354b  5821556 Contents-amd64
 9d227e1290537044bd284f96a18dfd72167132e030a7a8e4ae588e72fbb3348b407088903a67e7dbbd2d50c1e8c606d82b986bce3a391c7c1c5c0580f4376ede   286333 Contents-amd64.gz
 352cfac120c55a3ad5b838da8dbb1bfd5166ae85de5cb43da7600e6356532c582b461aee6417c2213789504398652f1abeffbe04d2fb3786458a42103230354b  5821556 main/Contents-amd64
 9d227e1290537044bd284f96a18dfd72167132e030a7a8e4ae588e72fbb3348b407088903a67e7dbbd2d50c1e8c606d82b986bce3a391c7c1c5c0580f4376ede   286333 main/Contents-amd64.gz
 aa7d98c3a43492ae9dea7ded57f5795054201dc1499170877cc44623d6690f63bef3de0f98022d6c82092fa9d6a864e1cf56cde13adb054253cfd0c60ee6f9ea  1093930 main/binary-amd64/Packages
 28ab463c27d40339f49362d06d5b8ba711941056be5c58891f9ddb390e3bcf9ba7ae341e90176a80b43ffe5e210ee5dbae0d300820ee7ec58b1cdd6ad354238d   160192 main/binary-amd64/Packages.bz2
 34ddebb21dbec11bd3d62e8548711a927f9c3444e559231769d16595501bc982b11937ee0dcc41c595f9daad470916941b92d7d5464fa073cb34f29bd9fed386   170325 main/binary-amd64/Packages.gz
 e1a4378ad266c13c2edf8a0e590fa4d11973ab99ce79f15af005cb838f1600f66f3dc6da8976fa8b474da9073c118039c27623ab3360c6df115071497fe4f50c       95 main/binary-amd64/Release

-----BEGIN PGP SIGNATURE-----
Version: BSN Pgp v1.0.0.0

iQEcBAEBCAAGBQJeHww4AAoJEOs+lK2+EinPnwYH/2ggyH6Frk+kneDByRop1mSG
vmWDT2KrLa0Q1zI75I8UnlcslSuCiSycI+BELc6RRzmKGXvEXnslvLmAK5LFQ0tH
VKCjVgdjQiFfw1Q1RDHYp0JngdhWb0ZunJ2zu8L4XvFZqiUzilr35UFXrY9Q/Hkg
9TKc2+flhnJCZ53UqKXkblBg+OLjyEWLIzYMHIDUBzrrt+IbzUgB3RuDMxm/hhpR
0wWiIbVifpa1w3WekywLaiJt7f19qzx64gskTuf9jO2dJUAPFRo5LKg7KZYqPl4L
Kejl8NaarIEIOV30CTSFgkenz6lS4vo8Vw4WIT6yDGTvWas/HNUHoiNz7ltzH9k=
-----END PGP SIGNATURE-----

					

A release file is signed by the distribution author private key. The signature will contain the hash of the release file . The hash is a mathematical code calculated by a function from a message , and is used to uniquely identify the message . The chances of hash collision , which is two messages having the same code , depends on the hashing algorithm. .

The signature of the release file also contains , the timestamp of when it was signed and the public key id of the author who signed this message . The public key id is the low order 64 bits of its fingerprint , and it consists of 16 hexadecimal digits ; It is used to locate the public key which will be used to verify the message .

@debian:~$ wget https://packages.microsoft.com/repos/vscode/dists/stable/Release.gpg
# Get the Release.gpg file which contains
# the signature of the Release file 
# from the stable distribution 
# authored by microsoft.

@debian:~$ gpg --list-packets Release.gpg 
# List the packets inside this Release.gpg file. 
# off=0 ctb=89 tag=2 hlen=3 plen=284
:signature packet: algo 1, keyid EB3E94ADBE1229CF
	version 4, created 1579093049, md5len 0, sigclass 0x00
	digest algo 8, begin of digest d5 f4
	hashed subpkt 2 len 4 (sig created 2020-01-15)
	subpkt 16 len 8 (issuer key ID EB3E94ADBE1229CF)
	data: [2046 bits]
# algo 1 : The public key algorithm , not the public key , 
#	is RSA and it is used for encryption or for signing .
# keyid EB3E94ADBE1229CF : Public key id is 
#	EB3E94ADBE1229CF , this is used to locate the 
#	public keys , which will be used to read the 
#	signature . 
# 1579093049 : Timestamp of when the message was
#	created.
# algo 8 : The hash algorithm used to compute the 
#	hash of the message is SHA256 .
					

apt will use the public key gotten from the author of the distribution and identified by the key id to read the hashed value in the signature . The hashed value in the signature , is the hash of the original release file . apt will also calculate the hash of : the downloaded Release file , or of the message in the downloaded InRelease file , and compare it to the hash value read from the signature . If they are equal then the downloaded release file has been successfully verified , else the verification has failed and the release file is disregarded .

Listing the distributions installed public keys

The enlighter/etc/apt/trusted.gpg file and files in the enlighter/etc/apt/trusted.gpg.d/ directory are known as keyring since they can contain one or more public key which can be used to verify the signatures of release files .

The list option of the apt-key command can be used to list the public keys that are installed in the enlighter/etc/apt/trusted.gpg.d/ directory or in the enlighter/etc/apt/trusted.gpg file.

			
@debian:~$ apt-key list
# List the installed public keys .
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]
# pub : Stands for public key .
#	rsa : The public key algorithm , not the public key .
#	[expires: 2027-04-12] : This public key expires  2027-04-12 .
# 80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE : Is the 
#	public key fingerprint .
# uid : The user id of the key owner .
# sub : stands for sub key 

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster)  <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster)  <debian-release@lists.debian.org>

... 

# When debian is installed , the package 
# debian-archive-keyring is also installed , and
# it contains public keys used to verify the 
# signatures of release authored by the  debian 
# project . These are the public keys that come
# from that package.




					

Adding the public key of a distribution

The public key for a distribution can either be in ASCII armored format , or it can be in binary packet format . The binary packet format usually has the .gpg extension . The ASCII armored format usually has the .asc extension .

The ASCII armored format starts with -----BEGIN PGP PUBLIC KEY BLOCK----- followed by one or more optional headers such as Version , followed by an empty line , followed by the public key binary packet format encoded into ASCII radix 64 , and it ends with -----END PGP PUBLIC KEY BLOCK----- .

In ASCII radix 64 , each 6 bits represents one of the characters : [a-zA-Z0-9+/] , so for example the six bits value 0 represents A , and the six bits value 34 represents i. To convert to ASCII radix 64 , each six bits of the input are taken at a time , and converted to ASCII based on their value ; for example if their six bits value is 0 they are converted to A.

		
## An example of public key in armored format .
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (GNU/Linux)

mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT
LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV
7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag
OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j
H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr
M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs
ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATUEEwEC
AB8FAlYxWIwCGwMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOs+lK2+EinPGpsH
/32vKy29Hg51H9dfFJMx0/a/F+5vKeCeVqimvyTM04C+XENNuSbYZ3eRPHGHFLqe
MNGxsfb7C7ZxEeW7J/vSzRgHxm7ZvESisUYRFq2sgkJ+HFERNrqfci45bdhmrUsy
7SWw9ybxdFOkuQoyKD3tBmiGfONQMlBaOMWdAsic965rvJsd5zYaZZFI1UwTkFXV
KJt3bp3Ngn1vEYXwijGTa+FXz6GLHueJwF0I7ug34DgUkAFvAs8Hacr2DRYxL5RJ
XdNgj4Jd2/g6T9InmWT0hASljur+dJnzNiNCkbn9KbX7J/qK1IbR8y560yRmFsU+
NdCFTW7wY0Fb1fWJ+/KTsC4=
=J6gs
-----END PGP PUBLIC KEY BLOCK-----
					

enlighterapt-get add public_key_file can be used to add a public key in either formats . If the file is stored remotely wget, for example , can first be used to download it .

As an example to add the public key for the stable distribution authored by Microsoft and which contains the visual studio code application , it can be done like this :

	
# As root execute the following command to 
# append the Microsoft source to /etc/apt/sources.list .
@debian:~$ echo "deb https://packages.microsoft.com/repos/vscode stable main" >> /etc/apt/sources.list

# Download the public key by using wget 
@debian:~$ wget https://packages.microsoft.com/keys/microsoft.asc

# Install the public key by using apt-key add
@debian:~$ apt-key add microsoft.asc
OK
# By default apt-key will add the public key 
# to the /etc/apt/trusted.pgp  file . 

# List the installed keys using apt-key list
@debian:~$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2015-10-28 [SC]
      BC52 8686 B50D 79E3 39D3  721C EB3E 94AD BE12 29CF
uid           [ unknown] Microsoft (Release signing) <gpgsecurity@microsoft.com>

					

Instead of separately downloading and adding the file , we can use apt-key adv --fetch-keys key_url to download and add the public key .

As an example , to add the source for the buster distribution authored by WineHQ , and which contains the wine application , it can be done like this :

	
# As root execute the following command to 
# append the WineHQ source to /etc/apt/sources.list .
@debian:~$ echo "deb https://dl.winehq.org/wine-builds/debian/ buster main" >> /etc/apt/sources.list

# Download and install the public key by using 
# apt-key adv --fetch-keys key_url
@debian:~$ apt-key adv --fetch-keys https://dl.winehq.org/wine-builds/winehq.key
Executing: /tmp/apt-key-gpghome.jxp4Jx1Q6f/gpg.1.sh --fetch-keys https://dl.winehq.org/wine-builds/winehq.key
gpg: requesting key from 'https://dl.winehq.org/wine-builds/winehq.key'
gpg: key 76F1A20FF987672F: public key "WineHQ packages <wine-devel@winehq.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1


# List the installed keys using apt-key list
@debian:~$ apt-key list
/etc/apt/trusted.gpg
--------------------
...

pub   rsa3072 2018-12-10 [SC]
      D43F 6401 4536 9C51 D786  DDEA 76F1 A20F F987 672F
uid           [ unknown] WineHQ packages <wine-devel@winehq.org>
sub   rsa3072 2018-12-10 [E] [expires: 2020-12-09]

...
					

Instead of using apt-key to add the public key , it can be placed directly inside the /etc/apt/trusted.gpg.d/ directory. If it is in ASCII armored format , it must have an .asc extension , and if it is in the binary packet format , it must have a .gpg extension.

As an example , to add the source for the stable distribution authored by Opera , and which contains the opera web browser , it can be done like this :

	
# As root execute the following command to 
# append the Opera source to /etc/apt/sources.list 
@debian:~$ echo "deb https://deb.opera.com/opera-stable/ stable non-free" >> /etc/apt/sources.list

# Download the public key by using wget 
@debian:~$ wget https://deb.opera.com/archive.key

# The downloaded public key in in the ASCII 
# armored format ,  hence 
# it must have the .asc extension .
@debian:~$ mv archive.key opera.asc
# Rename archive.key to opera.asc 

@debian:~$ mv opera.asc /etc/apt/trusted.gpg.d/
# Move the public key into /etc/apt/trusted.gpg.d/

# List the installed keys using apt-key list 
@debian:~$ apt-key list
/etc/apt/trusted.gpg.d/opera.asc
--------------------------------
pub   rsa4096 2019-09-12 [SC] [expires: 2021-09-11]
      68E9 B2B0 3661 EE3C 44F7  0750 4B8E C3BA ABDC 4346
uid           [ unknown] Opera Software Archive Automatic Signing Key 2019 <packager@opera.com>
sub   rsa4096 2019-09-12 [E] [expires: 2021-09-11]

					

Deleting the public key of a distribution

enlighterapt-key del <public_key_fingerprint> can be used to delete an installed public key .

			
@debian:~$ apt-key list
# List the installed public keys .
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
# The public keys fingerprints , highlighted in line
# 6 , 13 , 20
# can be used to delete the public keys .

@debian:~$ apt-key del "80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE"
OK
# Deleted the public key with the fingerprint 
# "80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE" .

@debian:~$ apt-key list
# List the installed public keys . 
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>