On a typical installation several apt GPG keys are added, be it for PPAs or other sources, and later go unused.
It is hard to identify in the GUI (software-properties) which keys are actually used for which repositories.
Is there an easy way to identify which keys are used at all, so that all the other keys can be removed?
In my opinion this has some security implications. If a repository owner loses their private key and updates the repository to use a new key, lots of people still have the old (non trustworthy) key installed, right?
Removing unused keys is pretty simple, but just like when adding keys, you are the one in charge of doing your homework and deciding which keys are no longer in use and can be removed.
Start by listing the apt keys you currently have with
sudo apt-key list.Once you identify a key that you no longer need, you can simply remove it with
sudo apt-key del KEYID.With the list command you will usually be able to see for what each key is, specially if it is from a ppa, since it will usually have a uid that includes something like "Launchpad PPA for John". So, if you removed that ppa from the sources and are no longer using it, you can safely remove them.
Sometimes you might need a quick google to know where a speciifc key comes from, for example, the mono key has the uid "Xamarin Public Jenkins", which if you google xamarin you can see where that key came from. Also, you can always go back to your bash history and find the a key that you added if you are unsure.
man apt-keyis there for more info and other commands.I wrote a script that automatically identifies (and optionally deletes) unused GPG keys. You can check it out here: https://github.com/LorenzoAlluminio/dotfiles/blob/master/bin/unused-gpg-keys
It is quite clunky but it works. There might be bugs, use at your own risk.
The workflow of the script is the following:
Edit: fixed link