For Debian and Ubuntu, the modern recommended location for signing keys should be /etc/apt/keyrings instead of /etc/apt/trusted.gpg.d. While the latter will work, it's less secure. While extremely unlike, it's a possible attack vector where a compromised supply chain of a 3rd party package could in the 3rd party repositories and under the right circumstances, override a system package with a compromised version.

The reason being that /etc/apt/trusted.gpg.d contains GPG keyring files that are trusted globally by APT which means they're trusted for all repositories and cannot be restricted to specific repositories.

/etc/apt/keyrings can be used with the signed-by option in sources lists (which the docs already instruct the user to do at this point). The benefit here is that it's a per-repository key assignment rather than global trust so it provides better security isolation between repositories.

I believe that around apt 2.4 is when /etc/apt/keyrings started to be recommended so this would apply start with Ubuntu 22.04 (jammy) and Debian 12 (bookworm) although older versions do support signed-by in the package list file - it's just that the directory may not yet exist on those older distributions with previous versions of apt.

Relevant URLs

• https://docs.influxdata.com/telegraf/v1/install/
• https://manpages.ubuntu.com/manpages/jammy/en/man5/sources.list.5.html
• https://wiki.debian.org/DebianRepository/UseThirdParty