Adding Third-Party Repositories

The Ubuntu repositories do not always have the latest versions of Docker, PostgreSQL, Node.js, or Nginx. The official vendors publish their own APT repositories with current versions and security updates that are more recent than what Ubuntu ships. This article walks through adding three of the most commonly used third-party repositories using the secure, modern method.

The modern approach: DEB822 with signed-by

The old method used apt-key add to add a signing key to a single system-wide keyring. This is deprecated because a key in the shared ring can sign packages from ANY repository, which is a security risk. The modern approach stores each repository’s key in a separate file and references it explicitly in the repository definition.

Secure modern approach:
/etc/apt/keyrings/docker.asc     ← Repository-specific key
/etc/apt/sources.list.d/docker.sources or docker.list
    └── signed-by=/etc/apt/keyrings/docker.asc  ← Key tied to this repo only

OLD deprecated approach:
/etc/apt/trusted.gpg              ← All keys in one place
/etc/apt/sources.list.d/docker.list
    └── (no signed-by — trusts ALL keys in trusted.gpg)

Real example: Docker CE

# Step 1: Install prerequisites
sudo apt update
sudo apt install -y ca-certificates curl

# Step 2: Create the keyrings directory
sudo install -m 0755 -d /etc/apt/keyrings

# Step 3: Download Docker's signing key
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg     -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Step 4: Add the repository
echo   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc]   https://download.docker.com/linux/ubuntu   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" |   sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Step 5: Update and install
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Step 6: Verify
sudo docker run hello-world

Real example: PostgreSQL official

# Add the PostgreSQL Global Development Group (PGDG) repository

# Step 1: Add key and repo in one script (official method)
sudo apt install -y postgresql-common
sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh

# Or manually:
sudo curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc     -o /etc/apt/keyrings/postgresql.asc

echo "deb [signed-by=/etc/apt/keyrings/postgresql.asc]   https://apt.postgresql.org/pub/repos/apt   $(lsb_release -cs)-pgdg main" |   sudo tee /etc/apt/sources.list.d/pgdg.list

sudo apt update
# Install the latest PostgreSQL version
sudo apt install -y postgresql-17

Real example: NodeSource Node.js

# Add NodeSource repository for Node.js 22.x

# Step 1: Download and run the setup script
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -

# Or manually:
sudo curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key     -o /etc/apt/keyrings/nodesource.gpg

echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg]   https://deb.nodesource.com/node_22.x nodistro main" |   sudo tee /etc/apt/sources.list.d/nodesource.list

sudo apt update
sudo apt install -y nodejs

# Verify
node --version
npm --version

Verifying a repository

# After adding a repo, verify the package comes from it
apt-cache policy docker-ce

Output confirming docker-ce comes from Docker's repo

docker-ce:
  Installed: 5:26.1.1-1~ubuntu.24.04~noble
  Candidate: 5:26.1.1-1~ubuntu.24.04~noble
  Version table:
 *** 5:26.1.1-1~ubuntu.24.04~noble 500
        500 https://download.docker.com/linux/ubuntu noble/stable amd64

# List all configured repositories
grep -r "^deb\|^Types:" /etc/apt/sources.list /etc/apt/sources.list.d/

# Check GPG key fingerprints
gpg --no-default-keyring --keyring /etc/apt/keyrings/docker.asc --fingerprint

Removing a third-party repository

# Remove the repository file
sudo rm /etc/apt/sources.list.d/docker.list
# or for DEB822 format:
sudo rm /etc/apt/sources.list.d/docker.sources

# Remove the signing key
sudo rm /etc/apt/keyrings/docker.asc

# Update to reflect the removal
sudo apt update

# Optionally remove the packages installed from this repo
sudo apt remove docker-ce docker-ce-cli containerd.io

Conclusion

Always use the signed-by= approach when adding third-party repositories, with the signing key stored in /etc/apt/keyrings/ as a per-repository file. Follow the vendor’s official installation documentation rather than random blog posts. After adding any repository, verify with apt-cache policy that packages come from the expected source. Remove repositories by deleting both the .list file and the key file from /etc/apt/keyrings/.

FAQ

Is Adding Third-Party Repositories important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support