diff --git a/ros_buildfarm/templates/ci/ci_create_tasks.Dockerfile.em b/ros_buildfarm/templates/ci/ci_create_tasks.Dockerfile.em
index fdbefc435..2462d0b12 100644
--- a/ros_buildfarm/templates/ci/ci_create_tasks.Dockerfile.em
+++ b/ros_buildfarm/templates/ci/ci_create_tasks.Dockerfile.em
@@ -67,7 +67,7 @@ args = \
     ' ' + arch + \
     ' --workspace-root ' + ' '.join(workspace_mount_point) + \
     ' --distribution-repository-urls ' + ' '.join(distribution_repository_urls) + \
-    ' --distribution-repository-key-files ' + ' ' .join(['/tmp/keys/%d.key' % i for i in range(len(distribution_repository_keys))]) + \
+    ' --distribution-repository-key-files ' + ' ' .join(['/etc/apt/keyrings/ros-buildfarm-%d.key' % i for i in range(len(distribution_repository_keys))]) + \
     ' --env-vars ' + ' ' .join(['%s=%s' % key_value for key_value in env_vars.items()])
 build_args = args + \
     ' --build-tool ' + build_tool + \
diff --git a/ros_buildfarm/templates/devel/devel_create_tasks.Dockerfile.em b/ros_buildfarm/templates/devel/devel_create_tasks.Dockerfile.em
index fbf046b0d..6d4b8956e 100644
--- a/ros_buildfarm/templates/devel/devel_create_tasks.Dockerfile.em
+++ b/ros_buildfarm/templates/devel/devel_create_tasks.Dockerfile.em
@@ -84,7 +84,7 @@ cmd = \
     ' --os-code-name ' + os_code_name + \
     ' --arch ' + arch + \
     ' --distribution-repository-urls ' + ' '.join(distribution_repository_urls) + \
-    ' --distribution-repository-key-files ' + ' ' .join(['/tmp/keys/%d.key' % i for i in range(len(distribution_repository_keys))]) + \
+    ' --distribution-repository-key-files ' + ' ' .join(['/etc/apt/keyrings/ros-buildfarm-%d.key' % i for i in range(len(distribution_repository_keys))]) + \
     ' --build-tool ' + build_tool + \
     ' --ros-version ' + str(ros_version) + \
     ' --env-vars ' + ' ' .join(['%s=%s' % key_value for key_value in env_vars.items()])
diff --git a/ros_buildfarm/templates/doc/doc_create_task.Dockerfile.em b/ros_buildfarm/templates/doc/doc_create_task.Dockerfile.em
index 51f283116..332f7f138 100644
--- a/ros_buildfarm/templates/doc/doc_create_task.Dockerfile.em
+++ b/ros_buildfarm/templates/doc/doc_create_task.Dockerfile.em
@@ -75,7 +75,7 @@ cmds = [
     ' --build-tool ' + build_tool + \
     ' --vcs-info "%s"' % vcs_info + \
     ' --distribution-repository-urls ' + ' '.join(distribution_repository_urls) + \
-    ' --distribution-repository-key-files ' + ' ' .join(['/tmp/keys/%d.key' % i for i in range(len(distribution_repository_keys))]) + \
+    ' --distribution-repository-key-files ' + ' ' .join(['/etc/apt/keyrings/ros-buildfarm-%d.key' % i for i in range(len(distribution_repository_keys))]) + \
     ' --env-vars ' + ' ' .join(['%s=%s' % key_value for key_value in env_vars.items()]) + \
     (' --force' if force else '') + \
     ' --output-dir /tmp/generated_documentation' + \
diff --git a/ros_buildfarm/templates/doc/rosdoc2_create_task.Dockerfile.em b/ros_buildfarm/templates/doc/rosdoc2_create_task.Dockerfile.em
index 47ba72aac..6e2a704cb 100644
--- a/ros_buildfarm/templates/doc/rosdoc2_create_task.Dockerfile.em
+++ b/ros_buildfarm/templates/doc/rosdoc2_create_task.Dockerfile.em
@@ -57,7 +57,7 @@ cmds = [
     ' --os-code-name ' + os_code_name + \
     ' --arch ' + arch + \
     ' --distribution-repository-urls ' + ' '.join(distribution_repository_urls) + \
-    ' --distribution-repository-key-files ' + ' ' .join(['/tmp/keys/%d.key' % i for i in range(len(distribution_repository_keys))]) + \
+    ' --distribution-repository-key-files ' + ' ' .join(['/etc/apt/keyrings/ros-buildfarm-%d.key' % i for i in range(len(distribution_repository_keys))]) + \
     ' --env-vars ' + ' ' .join(['%s=%s' % key_value for key_value in env_vars.items()]) + \
     ' --dockerfile-dir /tmp/docker_doc',
 ]
diff --git a/ros_buildfarm/templates/release/deb/binarypkg_create_task.Dockerfile.em b/ros_buildfarm/templates/release/deb/binarypkg_create_task.Dockerfile.em
index a537c218f..344ea9330 100644
--- a/ros_buildfarm/templates/release/deb/binarypkg_create_task.Dockerfile.em
+++ b/ros_buildfarm/templates/release/deb/binarypkg_create_task.Dockerfile.em
@@ -104,7 +104,7 @@ cmds.append(
     ' ' + os_code_name +
     ' ' + arch +
     ' --distribution-repository-urls ' + ' '.join(distribution_repository_urls) +
-    ' --distribution-repository-key-files ' + ' ' .join(['/tmp/keys/%d.key' % i for i in range(len(distribution_repository_keys))]) +
+    ' --distribution-repository-key-files ' + ' ' .join(['/etc/apt/keyrings/ros-buildfarm-%d.key' % i for i in range(len(distribution_repository_keys))]) +
     ' --binarypkg-dir ' + binarypkg_dir +
     ' --env-vars ' + ' '.join(build_environment_variables) +
     ' --dockerfile-dir ' + dockerfile_dir +
diff --git a/ros_buildfarm/templates/snippet/add_distribution_repositories.Dockerfile.em b/ros_buildfarm/templates/snippet/add_distribution_repositories.Dockerfile.em
index 5a478535e..a946e1018 100644
--- a/ros_buildfarm/templates/snippet/add_distribution_repositories.Dockerfile.em
+++ b/ros_buildfarm/templates/snippet/add_distribution_repositories.Dockerfile.em
@@ -1,4 +1,4 @@
-RUN mkdir /tmp/keys
+RUN mkdir -p /etc/apt/keyrings
 @{
 debian_before_stretch = ('squeeze', 'wheezy', 'jessie')
 ubuntu_before_bionic = (
@@ -12,12 +12,12 @@ ubuntu_before_bionic = (
 RUN for i in 1 2 3; do apt-get update && apt-get install -q -y gnupg ca-certificates && apt-get clean && break || if [ $i -lt 3 ]; then sleep 5; else false; fi; done
 @[end if]@
 @[for i, key in enumerate(distribution_repository_keys)]@
-RUN echo "@('\\n'.join(key.splitlines()))" > /tmp/keys/@(i).key@[if key] && apt-key add /tmp/keys/@(i).key@[end if]
+RUN echo "@('\\n'.join(key.splitlines()))" > /etc/apt/keyrings/ros-buildfarm-@(i).key
 @[end for]@
 @[for i, url in enumerate(distribution_repository_urls)]@
-RUN echo deb @[if not distribution_repository_keys[i]][trusted=yes] @[end if]@ @url @os_code_name main | tee -a /etc/apt/sources.list.d/buildfarm.list
+RUN echo deb [@[if distribution_repository_keys[i]]signed-by=/etc/apt/keyrings/ros-buildfarm-@(i).key@[else]trusted=yes@[end if]] @url @os_code_name main | tee -a /etc/apt/sources.list.d/buildfarm.list
 @[if add_source and url == target_repository]@
-RUN echo deb-src @[if not distribution_repository_keys[i]][trusted=yes] @[end if]@ @url @os_code_name main | tee -a /etc/apt/sources.list.d/buildfarm.list
+RUN echo deb-src [@[if distribution_repository_keys[i]]signed-by=/etc/apt/keyrings/ros-buildfarm-@(i).key@[else]trusted=yes@[end if]] @url @os_code_name main | tee -a /etc/apt/sources.list.d/buildfarm.list
 @[end if]@
 @[end for]@
 @# On Ubuntu Trusty a newer version of dpkg is required to install Debian packages created by stdeb on newer distros