UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36

Steps to reproduce the problem:
0. Provision a new Debian/Ubuntu machine, and add the Google Chrome repository.
1. Install the google-chrome-package package:

# apt-get install google-chrome-stable

2. Purge the google-chrome-stable package.

# apt-get purge google-chrome-stable

3. List the set of trusted APT keys:

# apt-key list

What is the expected behavior?
The Google APT key should have been removed from the system.

What went wrong?
The Google APT GPG key is still installed in /etc/apt/trusted.gpg, even after all Google packages have been uninstalled and purged:

pub   1024D/7FAC5991 2007-03-08
uid                  Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   2048g/C07CB649 2007-03-08

Did this work before? No 

Chrome version: 39.0.2171.71  Channel: stable
OS Version: Debian Sid
Flash Version: Shockwave Flash 15.0 r0

It should be true that the removal of all Google packages from a system should cause the Google GPG key to be removed from APT's trusted set of keys.  This is currently false.

The mechanism used by the Google Chrome Debian package to add the Google GPG key to the set trusted by APT is to invoke "apt-key".  This causes the Google key to be added to /etc/apt/trusted.gpg if it wasn't already present.

Nothing causes this key to automatically be removed.

This is understandable, as simply removing the key in the postrm script would break any other installed repositories that also depend on that key.  apt-key does not provide any mechanism for reference-counting.

I'd ask that the Google Chrome packaging be modified such that is installs the trusted GPG public-key as a separate file in /etc/apt/trusted.gpg.d, e.g. /etc/apt/trusted.gpg.d/google-chrome-stable.gpg.

This allows each package to maintain it's own set of trusted GPG keys and removes the need for reference-counting.

As a side effect, this also allows the ability to manage trusted APT keys using file-based configuration management tools.

 ~ ~ ~

Background context: we mirror Google repositories locally in an additive-only manner.  We re-sign the resulting repository indexes with our own credentials.

Therefore, we don't _want_ the Google repository to be directly configured on client machines, or have the Google GPG key installed.

(Also, if it is installed, we wish to be able to reverse this process in an unattended fashion.)

We're already using debathena configuration packages to manage configuration overrides.  

However, while undoing the configuration of the sources.list addition is straightforward — we can simply dpkg-divert the relevant file — we cannot use the same technique to disable the GPG key.

(We could manually remove the key using a script attached to the package — but this would be brittle, as the package would silently fail to do the right thing in the event that the upstream GPG key(s) were updated.)