Converting Debian APT sources to deb822 format moves repository entries from one-line deb records into structured .sources stanzas. The change is useful when apt update --audit reports legacy source entries, when an image still uses /etc/apt/sources.list, or when repository signing needs a clearer Signed-By field.
APT reads /etc/apt/sources.list first, then supported files under /etc/apt/sources.list.d/. The traditional .list format remains supported, but deb822 files place Types, URIs, Suites, Components, and Signed-By on separate fields that are easier to review, disable, and manage with tools.
The apt modernize-sources command can convert valid one-line sources, write the result as .sources files, and keep .bak copies of the old files. Review third-party repositories before accepting the rewrite, because custom bracketed options may need manual translation instead of an automatic pass.
$ sudo apt update --audit Get:1 http://deb.debian.org/debian trixie InRelease [140 kB] Get:2 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB] Get:3 http://deb.debian.org/debian-security trixie-security InRelease [43.4 kB] ##### snipped ##### Reading package lists... Building dependency tree... Reading state information... All packages are up to date. Audit: The sources.list(5) entry for 'http://deb.debian.org/debian' should be upgraded to deb822 .sources Audit: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian' Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.
Fix fetch errors, suite mismatches, or duplicate source entries before converting the files.
$ sudo cp -a /etc/apt /root/apt-backup-before-deb822
apt modernize-sources creates .bak files for converted sources, but a full /etc/apt copy also preserves keyrings, preferences, and source fragments.
$ sudo apt modernize-sources The following files need modernizing: - /etc/apt/sources.list Modernizing will replace .list files with the new .sources format, add Signed-By values where they can be determined automatically, and save the old files into .list.bak files. This command supports the 'signed-by' and 'trusted' options. If you have specified other options inside [] brackets, please transfer them manually to the output files; see sources.list(5) for a mapping. For a simulation, respond N in the following prompt. Rewrite 1 sources? [Y/n] Y Modernizing /etc/apt/sources.list... - Writing /etc/apt/sources.list.d/debian.sources
Stop at the prompt if the list includes a third-party source that needs manual review, especially one with bracketed options other than signed-by or trusted.
$ cat /etc/apt/sources.list.d/debian.sources # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian/ Suites: trixie Components: main Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian/ Suites: trixie-updates Components: main Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian-security/ Suites: trixie-security Components: main Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
If APT reports another output path, inspect that .sources file instead. The suites, components, and keyring should match the source entries that were active before conversion.
$ ls /etc/apt/sources.list.bak /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.bak /etc/apt/sources.list.d/debian.sources
A .bak suffix is outside the active .list and .sources extensions, so APT ignores the backup while keeping it available for rollback.
$ sudo apt update --audit Hit:1 http://deb.debian.org/debian trixie InRelease Hit:2 http://deb.debian.org/debian trixie-updates InRelease Hit:3 http://deb.debian.org/debian-security trixie-security InRelease Reading package lists... Building dependency tree... Reading state information... All packages are up to date.
The converted Debian sources are clean when the audit no longer reports modernization or missing Signed-By messages for those entries.