New GnuPG Repositories for Debian, Ubuntu, and Devuan: Versions 2.5.8 and 2.4.8 Now Available
Posted on June 30, 2025 by Heike Jurzik
If you use GnuPG for production systems or testing environments, you've likely run into this: many Linux distributions ship older or heavily modified versions—with patches that diverge significantly from upstream code. To change that, we're now offering our own official repositories with stable releases and development builds—free from distribution-specific tweaks, and exactly as intended by the upstream team.
You can choose between two versions:
- 2.4.8: recommended for production use (stable)
- 2.5.8: the development version featuring the latest additions, including Kyber support
These repositories include all core components: gpg, gpg-agent,
scdaemon, libgcrypt, libgpgme, and gpg-wks-client. In this
article, we'll walk you through adding the repositories, importing
the signing key, and installing GnuPG cleanly on your system.
GnuPG Repositories at a Glance: Version 2.4.8 and 2.5.8
The repositories listed below contain either the current stable release (2.4.8) or the latest development version (2.5.8). To see which packages and exact versions are available, check the directory listings for each repository.
The repositories are grouped by distribution and release branch:
| Distribution | Branch | Version | Link |
|---|---|---|---|
| Devuan | Development | 2.5.8 | daedalus-devel |
| Devuan | Release | 2.4.8 | daedalus |
| Debian | Development | 2.5.8 | bookworm-devel |
| Debian | Development | 2.5.8 | trixie-devel |
| Debian | Release | 2.4.8 | bookworm |
| Debian | Release | 2.4.8 | trixie |
| Ubuntu | Development | 2.5.8 | jammy-devel |
| Ubuntu | Development | 2.5.8 | noble-devel |
| Ubuntu | Development | 2.5.8 | plucky-devel |
| Ubuntu | Release | 2.4.8 | jammy |
| Ubuntu | Release | 2.4.8 | noble |
| Ubuntu | Release | 2.4.8 | plucky |
Importing and Saving the GnuPG Signing Key
First things first: you'll need to import the signing key for the GnuPG repository. The easiest way is to use an existing GnuPG installation and run the following command:
sudo gpg \ --no-default-keyring \ --keyring /usr/share/keyrings/gnupg-keyring.gpg \ --fetch-keys https://repos.gnupg.org/deb/gnupg/<distro>/gnupg-signing-key.gpg
Replace <distro> with the codename of your distribution—for example,
bookworm (GnuPG 2.4.8 on Debian 12), trixie-devel (2.5.8 on Debian
13), daedalus (2.4.8 on Devuan), or jammy, noble, or plucky
(2.4.8 for Ubuntu).
After running the command, you should see output similar to this:
gpg: keybox '/usr/share/keyrings/gnupg-keyring.gpg' created gpg: requesting key from 'https://repos.gnupg.org/deb/gnupg/<distro>/gnupg-signing-key.gpg' gpg: key 33FD1BCF5E579D83: "Meik Michalke <meik.michalke@gnupg.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Prefer using curl or wget? No problem—you can download the key
manually, too.
Download using wget:
wget -O- https://repos.gnupg.org/deb/gnupg/<distro>/gnupg-signing-key.gpg | \ sudo gpg --dearmor --yes --output /usr/share/keyrings/gnupg-keyring.gpg
Download using curl:
curl https://repos.gnupg.org/deb/gnupg/<distro>/gnupg-signing-key.gpg | \ sudo gpg --dearmor --yes --output /usr/share/keyrings/gnupg-keyring.gpg
Check Permissions: Make Sure the GnuPG Key Is Readable
After downloading the key, double-check that the file is readable by all users on the system. Otherwise, your package manager won't be able to access it. The output should look something like this:
$ ls -la /usr/share/keyrings/gnupg-keyring.gpg -rw-r--r-- 1 root root 1100 Jun 24 13:33 /usr/share/keyrings/gnupg-keyring.gpg
This means the file is owned by root and has the permissions
=rw-r–r–=—read and write access for the owner, and read-only access
for everyone else. That's exactly what you want in this case.
If those read permissions are missing (for example, the file is marked
rw-------), apt won't be able to use it, and adding the repository
will fail. In that case, you can fix the permission with:
sudo chmod a+r /usr/share/keyrings/gnupg-keyring.gpg
This makes the file readable by all users on the system—a necessary step for your package manager to do its job.
Add the GnuPG Repository as a Trusted Source
Next, you'll need to add the GnuPG repository to your system's package manager. To do this, create a new configuration file that points to the repository and references the signature key. Run the following command:
echo "Types: deb URIs: https://repos.gnupg.org/deb/gnupg/<distro>/ Suites: <distro> Components: main Signed-By: /usr/share/keyrings/gnupg-keyring.gpg" | sudo tee /etc/apt/sources.list.d/gnupg.sources
Replace <distro> with the codename of your distribution—for example,
bookworm (GnuPG 2.4.8 for Debian 12), trixie-devel (GnuPG 2.5.8 for
Debian 13), daedalus (2.4.8 for Devuan), jammy, noble, or plucky
(all 2.4.8 for Ubuntu).
What Does This Do?
Types: deb: Tells the package manager that this is a binary Debian repository (i.e., it contains.debpackages, not source packages).URIs: https://repos.gnupg.org/deb/gnupg/<distro>/: This is the actual URL of the GnuPG repository.Suites: <distro>: Specifies the suite (or codename) for your distribution.Components: main: The repository only has one section, =main=—which is common for upstream repositories.Signed-By: /usr/share/keyrings/gnupg-keyring.gpg: Points to the trusted GPG key used to verify packages from this source (the one you just imported).
The use of sudo tee writes this configuration to a file
named gnupg-devel.sources inside the /etc/apt/sources.list.d/
directory. That's the recommended location for additional repositories
on Debian-based systems—clean, standard, and easy to manage.
Installing GnuPG: Update Package Lists and Choose a Version
Once the repository is set up and the signing key has been imported,
you can update your package lists using apt update:
$ sudo apt update
This command pulls the latest package information from all configured sources—including the GnuPG repository.
Before installing, it's a good idea to check package priorities and make sure you're actually getting the version you want. To do that, inspect the current package status:
$ apt policy gnupg2
gnupg2:
Installed: 2.2.40-1.1
Candidate: 2.2.40-1.1
Version table:
2.5.8-2 500
500 https://repos.gnupg.org/deb/gnupg/bookworm-devel trixie/main amd64 Packages
*** 2.2.40-1.1 900
900 http://deb.debian.org/debian bookworm/main amd64 Packages
100 /var/lib/dpkg/status
apt shows both the currently installed version and all available
alternatives—along with their respective priorities. If, for example,
the default version has a priority of 900 and the GnuPG repository
version is listed with 500, a regular apt upgrade will still prefer
the older version.
To install or upgrade to the newer version (2.4.8 or 2.5.8), you need to explicitly select the desired source. The easiest way to do that is:
sudo apt install -t <suite> gnupg2
Here, <suite> refers to the repository name in your sources file,
for example, bookworm, trixie, jammy, or daedalus. This command
ensures that apt installs not just gnupg2, but also all related
components like gpg-agent, dirmngr, libgcrypt, and others from
the new repository.
In some cases, both versions may have the same priority—typically
- When that happens,
aptwon't choose based on relevance but will
simply go with the newer version available, usually from the newly added
repository. The upgrade will then happen automatically during the next
regular apt upgrade.
Note: If you're using a smartcard, make sure to install the scdaemon
package manually—it's not pulled in automatically.
Check your GnuPG version: Verifying the installation
Once the installation is complete, it's worth taking a moment to confirm that your system is actually using the new GnuPG version. Just run:
gpg --version
The output shows the installed version number, the cryptographic library
used (libgcrypt), the supported algorithms, and the path to the GnuPG
home directory.
After upgrading to version 2.5.8, you might see something like this:
gpg (GnuPG) 2.5.8
libgcrypt 1.11.1
[...]
Supported algorithms:
Pubkey: RSA, Kyber, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Notably, version 2.5.8 includes Kyber in the list of supported algorithms—a quantum-resistant key exchange method introduced with GnuPG 2.5. This marks a major step forward, giving you access to a significantly more modern cryptographic architecture.
gpg-agent and dirmngr with GnuPG 2.4.8 and 2.5.8: Restart and Check
The gpg-agent is a key part of GnuPG. It manages passphrases, talks
to smartcards, and provides several interfaces via Unix sockets. Its
companion, dirmngr, handles tasks like fetching keys and certificates
behind the scenes.
After installing the new version, it's worth taking a quick look at both
components—especially since their behavior has changed: our packages
no longer use systemd integration. That means gpg-agent and dirmngr
are no longer managed through systemctl --user, but instead run the
traditional way—launched directly by GnuPG when needed.
To check if the agent is currently running, use:
$ gpgconf --list-dirs agent-socket /run/user/1000/gnupg/S.gpg-agent
Should you run into issues after installation or configuration changes—for example, a warning like:
gpg: WARNING: server 'dirmngr' is older than us (2.4.7 < 2.5.8)
—it usually means an older background process is still running.
In that case, the easiest fix is to stop all GnuPG components at once:
gpgconf --kill all
This is the recommended way to cleanly restart everything after an upgrade. GnuPG will automatically relaunch the necessary services, in the correct version and configuration.
Note: If you were previously using GnuPG 2.2.x, systemd units for
gpg-agent or dirmngr might have been active. These are removed
automatically when upgrading to 2.4.8 or 2.5.8—no manual cleanup
needed. A command like systemctl --user list-unit-files | grep gpg-agent
should return nothing.
Support and Feedback: Join the Conversation
If you run into issues while testing the packages or just want to connect with others, feel free to drop by the GnuPG Forum. It's a great place to exchange ideas with fellow users and developers.
If you discover a bug, please don't report it through your distribution's bug tracker—report it directly to the GnuPG team instead. You'll find all the details on how to write a useful bug report here.