How to add a third-party repo. and key in Debian?

I looked at another similar question about adding third-party repos. I am trying to add a third-party desktop IM client called riot . While the site gives link to the third-party it gives no instructions as how to add third-party sources or keyring in Debian. I went through and made the following additions in my /etc/apt/sources.list –

######## Third party repos #######
deb stretch main

Now I have two questions :-

a. Is the third-party repo. I have entered is correct or should I ask for more information from upstream.

b. How do I add the secure key as all packages are usually signed in the Debian Universe. The public key is given at

I am on Debian stretch/testing.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You must NEVER install any 3rd party key with apt-key add, as suggested in other posts, because it would cause the system to accept signatures from the third-party keyholder on all other repositories configured on the system.
You should set up the repository and install the key as follows:

  1. Create directory for manually installed OpenPGP keys:
    $ sudo mkdir /usr/local/share/keyrings
  2. Download the key into the directory.

    Since your key’s extension is .asc, it is probably “ascii-armored” (you can check this by downloading they key and opening it in a text editor: if it starts with something like


    then it is armored; if it looks like a set of some binary data, then it is not armored and you can use it as it is):
    • for an armored key:
      $ curl | gpg --dearmor | sudo dd of=/usr/local/share/keyrings/riot-archive-keyring.gpg
    • If the key is not armored, then use this command instead:
      $ sudo wget -O /usr/local/share/keyrings/riot-archive-keyring.gpg
  3. Add the desired 3rd party repository into the list of sources (pay attention to the signed-by option, it tells APT that the repo is signed with the specific key):
    • It is recommended to use the new deb822 multiline format for sources now. So create new .sources file with the respective content below:
      $ sudoedit /etc/apt/sources.list.d/riot.sources

      Types: deb
      Suites: stretch
      Components: main
      Signed-By: /usr/local/share/keyrings/riot-archive-keyring.gpg
    • Or if you prefer the legacy style (one line per source), use this command instead::
      $ echo "deb [signed-by=/usr/local/share/keyrings/riot-archive-keyring.gpg] stretch main" | sudo tee -a /etc/apt/sources.list.d/riot.list
  4. Restrict the 3rd party repository to some specific software package only. Create preference control file for APT:
    $ sudoedit /etc/apt/preferences.d/riot.pref
  5. Put the following content into the file (if necessary, you can append the package name with asterisk (*) as a wildcard or list multiple package names separated by space ():
    Package: *
    Pin: origin
    Pin-Priority: 1
    Package: riot-web
    Pin: origin
    Pin-Priority: 500

You can find official information from Debian here:

Method 2

To add the key run:

sudo apt-key add repo-key.asc

The third-party repo is correct and compatible with the general format posted on debian wiki:

The entries in this file normally follow this format:

deb distribution component1 component2 component3

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments