Third-party APT repositories are easier to audit when every external source uses a predictable file name, a dedicated signing key, and a repeatable enable or disable command. Debian’s extrepo tool gives you that managed path for repositories listed in the Debian-maintained extrepo-data catalog. Use it when you want to search, enable, disable, refresh, and remove third-party APT repos on Debian without hand-writing every DEB822 source file yourself.
The commands apply to Debian 13 (trixie), Debian 12 (bookworm), and Debian 11 (bullseye). The core workflow works across all three releases, but Debian 11 lacks the extrepo-offline-data package, and Debian 13 can reject older SHA-1 key signatures in some extrepo entries until the bundled key is refreshed.
Understand extrepo on Debian
The extrepo command reads repository definitions from the extrepo-data catalog on Salsa. Each entry describes the repository URL, package components, supported architecture, signing key, and license policy. When you enable an entry, extrepo writes a DEB822 .sources file under /etc/apt/sources.list.d/ and stores the matching key under /var/lib/extrepo/keys/.
The main tradeoff is control versus freshness. Extrepo saves time for cataloged repositories, but the catalog can lag behind a vendor’s current repository instructions or signing key. If a vendor publishes a current DEB822 setup, that direct vendor method is often clearer for a dedicated install article. Extrepo is still useful for discovery, quick repository setup, temporary testing, and cleanup of repositories it manages.
| Task | Extrepo Behavior | Manual DEB822 Behavior |
|---|---|---|
| Find repository names | extrepo search searches the catalog | You check vendor docs or package indexes yourself |
| Create source files | extrepo enable writes extrepo_*.sources | You write or download the .sources file |
| Signing keys | Keys come from the catalog and are stored in /var/lib/extrepo/keys/ | You fetch the current vendor key and choose the keyring path |
| Disable a source | extrepo disable adds Enabled: no | You edit, disable, or remove the source file |
| Refresh a managed source | extrepo update repo-name rewrites the source and key from catalog metadata | You update the source and key from vendor instructions |
| Best fit | Cataloged repositories, testing, temporary access, and managed cleanup | Vendor-recommended production setup or repositories not in the catalog |
Install extrepo on Debian
Refresh Debian’s package metadata before installing the repository manager:
sudo apt updateIf your account cannot use
sudo, configure administrative access first with the Debian guide to add a user to sudoers on Debian.
On Debian 13 and Debian 12, install extrepo with the offline catalog package:
sudo apt install extrepo extrepo-offline-dataOn Debian 11, install extrepo by itself because extrepo-offline-data is not packaged for bullseye:
sudo apt install extrepoVerify the installed package state:
dpkg -l extrepo | grep '^ii'Relevant output on Debian 13 includes:
ii extrepo 0.14 all External repository manager
Current default package candidates are 0.14 on Debian 13, 0.11 on Debian 12, and 0.8 on Debian 11. Those versions support search, enable, disable, and repository-specific update commands.
Search the extrepo Catalog on Debian
Run extrepo search without a search key to list every catalog entry available to your Debian release:
extrepo searchThe full list can be long. The current catalogs returned hundreds of entries on Debian 13, Debian 12, and Debian 11, so use a search key when you already know the vendor or repository name.
Search for an Exact extrepo Entry
The search key is a regular expression matched against the repository name, description, and URL. For exact entry-name matching, anchor the pattern so broad words do not match unrelated descriptions:
extrepo search '^brave_release$'Relevant output on Debian 13 includes:
Found brave_release: --- description: Brave browser release repository gpg-key-checksum: sha256: 167dff45524ce196a8d14c7b1586944724afc182a11be96d45b047f825f444c5 gpg-key-file: brave_release.asc policy: main source: Architectures: amd64 Components: main Suites: stable Types: deb URIs: https://brave-browser-apt-release.s3.brave.com
The Found brave_release line is the repository name to pass to extrepo enable. For a complete browser install workflow after enabling that source, use the dedicated guide to install Brave Browser on Debian.
A broad pattern such as
extrepo search "brave|chrome|edge"can match unrelated entries becauseextrepoalso searches descriptions and URLs. Use anchored patterns when you need a specific repository name.
Use the Offline extrepo Catalog on Debian 13 and 12
Debian 13 and Debian 12 can search the catalog shipped by extrepo-offline-data instead of fetching the catalog from the project URL:
extrepo --offlinedata search '^brave_release$'Debian 11 does not ship extrepo-offline-data, and its older extrepo package does not handle the --offlinedata option. Use the normal online search on bullseye.
Enable a Third-Party Repository with extrepo on Debian
Enable a repository by passing the exact catalog entry name. This example uses the Brave stable repository because it is categorized under the default main policy:
sudo extrepo enable brave_releaseInspect the generated source file:
cat /etc/apt/sources.list.d/extrepo_brave_release.sourcesRelevant output on Debian 13 includes:
Architectures: amd64 Types: deb Suites: stable Components: main Uris: https://brave-browser-apt-release.s3.brave.com Signed-By: /var/lib/extrepo/keys/brave_release.asc
Field order can vary by release, and APT treats DEB822 field names case-insensitively. The important checks are the repository URL, suite, component, architecture, and Signed-By key path.
Refresh APT and confirm that the new repository contributes the package you expect:
sudo apt update
apt-cache policy brave-browserRelevant output on Debian 13 includes:
brave-browser:
Installed: (none)
Candidate: 1.90.121
Version table:
1.90.121 500
500 https://brave-browser-apt-release.s3.brave.com stable/main amd64 Packages
The version will change as Brave publishes updates. The stable signal is that apt-cache policy shows the expected repository URL and package source after sudo apt update.
Disable, Re-enable, and Update extrepo Repositories on Debian
Disable an extrepo Repository
Disabling a repository keeps the source file in place but tells APT to ignore it:
sudo extrepo disable brave_releaseConfirm the file now includes Enabled: no:
grep -E '^(Enabled|Uris|Suites|Components|Signed-By):' /etc/apt/sources.list.d/extrepo_brave_release.sourcesRelevant output includes:
Suites: stable Components: main Uris: https://brave-browser-apt-release.s3.brave.com Signed-By: /var/lib/extrepo/keys/brave_release.asc Enabled: no
Re-enable the same repository when you want APT to use it again:
sudo extrepo enable brave_release
sudo apt updateRefresh an extrepo-Managed Source and Key
The extrepo update repo-name command rewrites that repository’s source file and signing key from current catalog metadata:
sudo extrepo update brave_release
sudo apt updateDebian 13 uses extrepo 0.14, so you can omit the repository name to update all files named extrepo_*.sources. Debian 12 and Debian 11 need the repository name.
On Debian 12, running sudo extrepo update without a repository name returns:
Repository does not exist! at /usr/share/perl5/Debian/ExtRepo/Commands/Enable.pm line 24.
On Debian 11, the same command returns:
Update without a repository is not yet supported
Enable Non-Free and Contrib Policies with extrepo on Debian
Extrepo enables only main policy repositories by default. Repositories for proprietary software, such as Google Chrome, Microsoft Edge, Opera, and Slack, are usually tagged as non-free. If you try to enable one before changing the policy setting, extrepo refuses to write the source.
sudo extrepo enable google_chromeExpected policy error:
None of the license inclusion policies in google_chrome were enabled. Please edit /etc/extrepo/config.yaml and enable the required policies
Open or inspect the configuration file:
cat /etc/extrepo/config.yamlThe default policy block looks like this:
enabled_policies: - main # - contrib # - non-free
Uncomment contrib and non-free. Use these sed command examples to make the change directly:
sudo sed -i 's/^# - contrib/- contrib/' /etc/extrepo/config.yaml
sudo sed -i 's/^# - non-free/- non-free/' /etc/extrepo/config.yamlVerify the policy block now includes all three entries:
cat /etc/extrepo/config.yamlenabled_policies: - main - contrib - non-free
The same google_chrome command can now create the source file:
sudo extrepo enable google_chrome
cat /etc/apt/sources.list.d/extrepo_google_chrome.sourcesRelevant output on Debian 13 includes:
Uris: http://dl.google.com/linux/chrome/deb/ Architectures: amd64 Types: deb Components: main Suites: stable Signed-By: /var/lib/extrepo/keys/google_chrome.asc
If you enabled Chrome only to test policy access, disable it and remove the generated source and key:
sudo extrepo disable google_chrome
sudo rm -f /etc/apt/sources.list.d/extrepo_google_chrome.sources
sudo rm -f /var/lib/extrepo/keys/google_chrome.asc
sudo apt updateFor Debian-owned archive components such as contrib, non-free, and non-free-firmware, use the separate guide to enable contrib and non-free repositories on Debian. Extrepo policies only control which third-party catalog entries the extrepo tool may enable.
Handle Debian 13 SHA-1 Key Errors in extrepo
Debian 13 uses Sequoia’s sqv verifier for some APT key checks. If an extrepo entry still ships an ASCII-armored key with SHA-1 binding signatures, sudo apt update can reject the repository even when the vendor has already refreshed the current public key. The Microsoft Edge extrepo entry currently shows this failure on Debian 13.
The error looks like this:
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on BC528686B50D79E339D3721CEB3E94ADBE1229CF is not bound: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance SHA1 is not considered secure since 2026-02-01T00:00:00Z
Install ca-certificates, gpg, and wget if your system does not already have them:
sudo apt install ca-certificates gpg wgetCheck the bundled extrepo key. digest algo 2 indicates SHA-1:
gpg --list-packets /var/lib/extrepo/keys/edge.asc 2>&1 | grep 'digest algo'digest algo 2, begin of digest 1a 9b
Compare it with the current Microsoft key. digest algo 8 indicates SHA-256:
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --list-packets 2>&1 | grep 'digest algo'digest algo 8, begin of digest 8f f6
Replace the extrepo-managed key with the vendor’s current key, then refresh APT:
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | sudo tee /var/lib/extrepo/keys/edge.asc > /dev/null
sudo apt updateRunning
sudo extrepo update edgecan restore the stale catalog key until the extrepo-data entry itself is fixed. If the SHA-1 error returns, repeat the key replacement or switch that repository to the vendor’s current manual DEB822 setup.
Fix Vendor Repository Conflicts with extrepo on Debian
Some vendor packages create their own repository file after installation. If that file points at the same repository as an extrepo-managed source but uses a different Signed-By path, APT can stop with a conflict instead of refreshing package metadata.
A typical conflict looks like this:
E: Conflicting values set for option Signed-By regarding source http://dl.google.com/linux/chrome/deb/ stable: /var/lib/extrepo/keys/google_chrome.asc != E: The list of sources could not be read.
Find duplicate Chrome source files before deleting anything:
grep -R "dl.google.com/linux/chrome/deb" /etc/apt/sources.list.d/If the duplicate file is a vendor-created google-chrome*.list entry and you want extrepo to own the repository, remove the duplicate legacy file and refresh APT:
sudo rm -f /etc/apt/sources.list.d/google-chrome*.list
sudo apt updateFor Microsoft Edge, search for the Edge repository URL and remove only the duplicate Edge source file if extrepo should remain the owner:
grep -R "packages.microsoft.com/repos/edge" /etc/apt/sources.list.d/
sudo rm -f /etc/apt/sources.list.d/microsoft-edge*.list
sudo apt updateRemove only files that point at the same repository URL. A source file with an unrelated product name can still contain a duplicate repository line, so inspect the matching lines before deleting by filename.
Use Tor, Offline Data, and Custom Mirrors with extrepo on Debian
Route extrepo Repositories Through Tor on Debian 13
Debian 13’s extrepo 0.14 package supports the --tor option. It changes the source URL that extrepo writes for a repository. Install the APT Tor transport first:
sudo apt install apt-transport-torAPT installs the Tor service and transport helper as dependencies. Enable a repository with automatic Tor handling:
sudo extrepo --tor auto enable brave_release| Mode | Behavior |
|---|---|
onion | Uses a cataloged .onion URL and fails if the entry has none. |
tunnel | Prepends tor+ to the normal repository URL. |
auto | Uses .onion when available, otherwise falls back to tunnel. |
if-onion | Uses .onion when available, otherwise keeps the normal URL. |
off | Writes the normal repository URL. |
To make Tor routing the default for future extrepo commands, add this setting to /etc/extrepo/config.yaml:
tor: autoDebian 12’s extrepo 0.11 package does not support --tor, and Debian 11’s extrepo 0.8 package does not support that option syntax. Keep Tor routing to Debian 13 unless you have independently verified a newer backported extrepo package.
Use a Custom Mirror with extrepo on Debian 13 and 12
The --mirror option is available in Debian 13 and Debian 12. It overrides the repository URL while keeping extrepo’s original signing-key metadata. Replace the mirror URL with your internal mirror before running the command:
sudo extrepo --mirror https://mirror.example.com/brave enable brave_releaseDebian 11’s extrepo 0.8 package does not support --mirror. The --url option is different. It changes the extrepo metadata catalog source itself, not the third-party repository URL. Use --offlinedata on Debian 13 or Debian 12 when you want to search the packaged offline catalog instead of the online catalog:
extrepo --offlinedata search '^brave_release$'Troubleshoot Common extrepo Issues on Debian
Repository Name Not Found
If extrepo enable says a repository does not exist, confirm the exact catalog name first:
extrepo search keywordUse the name after Found, not the package name you plan to install. For example, the Brave package is brave-browser, but the extrepo entry is brave_release.
If the entry is not in the catalog, use the vendor’s manual DEB822 instructions instead of forcing an extrepo workflow. The Debian sources.list(5) man page explains the source-file format that extrepo writes.
Policy Error When Enabling a Repository
If the error says no license inclusion policies were enabled, the repository is tagged under contrib or non-free. Edit /etc/extrepo/config.yaml as shown in the non-free policy section, then run the same extrepo enable command again.
Package Missing After Enabling a Repository
A repository name and package name are not always the same. After enabling the source and running sudo apt update, search APT for the package names that repository exposes:
apt search keyword
apt-cache policy package-nameIf apt-cache policy does not show the repository URL, APT did not ingest the source. Recheck the .sources file, the signing key error, and the output from the most recent sudo apt update.
Remove extrepo and Clean Up Repositories on Debian
Remove One extrepo-Managed Repository
To stop using a single extrepo-managed source, disable it, remove its source file and key, then refresh APT:
sudo extrepo disable brave_release
sudo rm -f /etc/apt/sources.list.d/extrepo_brave_release.sources
sudo rm -f /var/lib/extrepo/keys/brave_release.asc
sudo apt updateConfirm the removed source no longer contributes the package candidate:
apt-cache policy brave-browserAfter sudo apt update, the removed extrepo URL should no longer appear in the policy output.
Remove extrepo Completely
List any remaining extrepo source files before uninstalling the tool:
ls /etc/apt/sources.list.d/extrepo_*.sources 2>/dev/nullRemove those sources and refresh APT:
sudo rm -f /etc/apt/sources.list.d/extrepo_*.sources
sudo apt updateOn Debian 13 and Debian 12, remove both packages:
sudo apt remove --purge extrepo extrepo-offline-dataOn Debian 11, remove only extrepo:
sudo apt remove --purge extrepoThe next command permanently deletes extrepo’s downloaded keys and repository metadata under
/var/lib/extrepo/. Packages already installed from those repositories remain installed, but they stop receiving updates from the removed source.
sudo rm -rf /var/lib/extrepo/Verify that extrepo is no longer installed:
dpkg -l extrepo 2>/dev/null | grep '^ii' || echo "extrepo is not installed"extrepo is not installed
Run sudo apt autoremove only after reviewing the package list APT proposes. On reused systems, autoremove can include packages unrelated to extrepo.
Further Reading and Related Debian Guides
- extrepo(1p) man page – Official command reference for extrepo options, subcommands, and configuration syntax.
- extrepo-data on Salsa – Debian-maintained repository metadata used by extrepo.
- Install Backports on Debian – Use Debian’s official backports and experimental suites when the package you need is in Debian but not current enough in stable.
- Install Flatpak on Debian – Use Flathub for desktop applications when a third-party APT repository is not the best fit.
Conclusion
Extrepo is installed and ready to manage cataloged third-party APT repositories on Debian with clear source files, dedicated keys, and reversible enable or disable commands. For repositories outside the catalog, use the vendor’s current DEB822 setup; for Debian-owned package components, keep using the normal Debian component workflow.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>