diff --git a/contrib/install.sh b/contrib/install.sh
index 6dd708fe8..a16a3168f 100644
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -162,26 +162,14 @@ metadata_expire=300" | $maybe_sudo tee -a /etc/yum.repos.d/pganalyze_collector.r
   $maybe_sudo yum $yum_opts install pganalyze-collector <$user_input
 elif [ "$pkg" = deb ];
 then
-  # on Debian, gnupg, required for apt-key add, is not installed by default, so install
-  # it before trying to invoke it if necessary
-  if ! dpkg --verify gnupg 2>/dev/null && ! dpkg --verify gnupg1 2>/dev/null && ! dpkg --verify gnupg2 2>/dev/null;
-  then
-    if confirm "The gnupg package is required to verify the collector package signature; install it now?";
-    then
-      $maybe_sudo apt-get $apt_opts update <$user_input
-      $maybe_sudo apt-get $apt_opts install gnupg <$user_input
-    else
-      fail "cannot install without gnupg"
-    fi
-  fi
   if [ "$arch" = 'x86_64' ];
   then
-    apt_source="deb [arch=amd64] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
+    apt_source="deb [arch=amd64 signed-by=/etc/apt/keyrings/pganalyze_signing_key.asc] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
   elif [ "$arch" = 'arm64' ] || [ "$arch" = 'aarch64' ];
   then
-    apt_source="deb [arch=arm64] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
+    apt_source="deb [arch=arm64 signed-by=/etc/apt/keyrings/pganalyze_signing_key.asc] https://packages.pganalyze.com/${distribution}/${version}/ stable main"
   fi
-  curl -s -L https://packages.pganalyze.com/pganalyze_signing_key.asc | $maybe_sudo apt-key add -
+  $maybe_sudo curl -L https://packages.pganalyze.com/pganalyze_signing_key.asc -o /etc/apt/keyrings/pganalyze_signing_key.asc
   echo "$apt_source" | $maybe_sudo tee /etc/apt/sources.list.d/pganalyze_collector.list
   $maybe_sudo apt-get $apt_opts update <$user_input
   $maybe_sudo apt-get $apt_opts install pganalyze-collector <$user_input
diff --git a/packages/repo/sync_deb.sh b/packages/repo/sync_deb.sh
index 81ce25bd0..53106d1ef 100755
--- a/packages/repo/sync_deb.sh
+++ b/packages/repo/sync_deb.sh
@@ -31,9 +31,9 @@ reprepro --basedir /repo/debian/bookworm includedeb stable /deb/systemd/$DEB_PAC
 reprepro --basedir /repo/debian/bookworm includedeb stable /deb/systemd/$DEB_PACKAGE_ARM64
 
 # Verify signatures
-apt-key add /repo/pganalyze_signing_key.asc
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/focal/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/jammy/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/ubuntu/noble/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/debian/bullseye/dists/stable/InRelease
-gpgv --keyring /etc/apt/trusted.gpg /repo/debian/bookworm/dists/stable/InRelease
+gpg --dearmor -o /repo/pganalyze_signing_key.gpg /repo/pganalyze_signing_key.asc
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/focal/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/jammy/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/ubuntu/noble/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/debian/bullseye/dists/stable/InRelease
+gpgv --keyring /repo/pganalyze_signing_key.gpg /repo/debian/bookworm/dists/stable/InRelease