Apt key for Debian Package is expiring on 16.02.2024

[michizubi-SRF]

Frequently asked questions

• I have read Frequently Asked Questions
• I have looked at the list of the existing issues (including closed issues) and searched if my issue has been already reported
• I have tried to resolve the issue myself and will describe what I did in clear and consise manner

Describe the bug
Apt key for the Debian package is expiring on 16.02.2024, see the following output:

pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-28]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

To Reproduce
Steps to reproduce the behavior:

1. wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
2. apt-key list 95BD4743

Your understanding of what is happening
The key should be updated to extend expiration

What steps did you take to resolve issue yourself before reporting it here
See section "To Reproduce"

Expected behavior
Key is not expiring in the next 2 weeks

Distribution (please complete the following information):

• OS: Debian
• Architecture: amd64
• Repository: packages.sury.org

[oerdnj]

Could you try installing debsuryorg-archive-keyring package by hand for now?

I'll automate it later, but I need more people to confirm that installing that package works fine.

[michizubi-SRF]

The key is used on a lot of machines.
I'd rather not install that manually on all of them :)

[oerdnj]

The key is used on a lot of machines. I'd rather not install that manually on all of them :)

And I rather not break "a lot of machines" by automating something that will then need manual intervention, so I need confirmation that: apt install debsuryorg-archive-keyring works as expected.

[rfay]

@oerdnj is apt install debsuryorg-archive-keyring the new official technique? I don't see it showing up in https://packages.sury.org/php/README.txt

We'll need to do a release of DDEV so people will have the new key using the official technique, and it sounds like all apt updates will be broken before that?

Please give the full new suggested technique. Right now my testing is blocked by the intermittent

• GPG error: https://packages.sury.org/php bullseye InRelease: Splitting up /var/lib/apt/lists/packages.sury.org_php_dists_bullseye_InRelease into data and signature failed #2046

which is happening consistently right now. I'm absolutely not sure where that comes from and when it happens.

[oerdnj]

I am not sure yet about the bootstrapping. The apt.gpg will still stay in the place. But I need a method to automatically update the keys.

[rfay]

I guess the primary request in this issue is to update the apt.gpg ASAP, that alone would solve things for me.

apt install debsuryorg-archive-keyring works for me, but it may only be working after having installed the apt.gpg, and so that seems like a possible chicken-and-egg scenario? I'll test any from-scratch install that you propose.

/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
---------------------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]

[oerdnj]

I’ll probably upload the keyring package to the repository root and update the instructions to install the deb by hand first.

I’ll keep the apt.gpg for the next 2 years.

[rfay]

This is quite urgent, right, as reported by the OP? Both techniques (but especially the traditional technique) need to work right away, or all apt update on all machines that use deb.sury.org will be broken?

[rfay]

I see that the apt key has been updated, thank you very much.

Initial situation:

gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      15058500A0235D97F5D10063B188E2B695BD4743
uid           DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

After curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg

gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
      15058500A0235D97F5D10063B188E2B695BD4743
uid           DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]

[bcremer]

Can confirm that installing debsuryorg-archive-keyring pulled the latest keyring versions:

$ ls -lha /usr/share/keyrings/deb.sury.org-*
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-apache2.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-bind-dev.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-bind-esv.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-bind.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-nginx.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
-rw-r--r-- 1 root root 1,8K Feb  5 16:20 /usr/share/keyrings/deb.sury.org-php.gpg

$ gpg --list-options show-sig-expire  /usr/share/keyrings/deb.sury.org-php.gpg
pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
      15058500A0235D97F5D10063B188E2B695BD4743
uid           DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]

[michizubi-SRF]

Thanks a lot for updating the key.
This solves the issue for me for the moment.

[brenc]

Just added this to our build. All good. 👍

For reference, the full URL is https://packages.sury.org/debsuryorg-archive-keyring.deb. Here are my Ansible plays for this:

- name: apt | Add the deb.sury.org key(s) and repo
  tags: apt
  block:
    - name: apt | Remove old key
      ansible.builtin.file:
        path: /usr/share/keyrings/deb.sury.org-php.gpg
        state: absent

    - name: apt | Install the debsuryorg-archive-keyring.deb package
      ansible.builtin.apt:
        deb: https://packages.sury.org/debsuryorg-archive-keyring.deb

    - name: apt | Remove the old Sury PHP repo
      ansible.builtin.apt_repository:
        repo: deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main
        state: absent

    - name: apt | Add Sury PHP repo
      ansible.builtin.apt_repository:
        repo: deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main
        state: present

# Packages are now available to install.

@michizubi-SRF check out Ansible. Super helpful for stuff like this.

[michizubi-SRF]

@brenc Thanks for the hint :) We're using Puppet for all our servers.

[hardfalcon]

Are there any plans to include/update/replace the PPA signing key as well?

[oerdnj]

If you updated recently, the new keyring package should have been installed.

[aerogus]

Thanks for this thread, I can confirm that executing apt install debsuryorg-archive-keyring has resolved the problem of expiring key

[oerdnj]

FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory. The list of the installed keys from the debsuryorg-archive-keyring package are:

/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
/usr/share/keyrings/deb.sury.org-apache2.gpg
/usr/share/keyrings/deb.sury.org-bind-dev.gpg
/usr/share/keyrings/deb.sury.org-bind-esv.gpg
/usr/share/keyrings/deb.sury.org-bind.gpg
/usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
/usr/share/keyrings/deb.sury.org-nginx.gpg
/usr/share/keyrings/deb.sury.org-php.gpg

This should work for both old (using global keyring) and new installations (using signed-by= in sources.list).

[rfay]

Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?

I see that https://packages.sury.org/php/README.txt has been updated with the new approach, thanks

${SUDO} curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
${SUDO} dpkg -i /tmp/debsuryorg-archive-keyring.deb

[oerdnj]

Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?

What you mean by "this"?

[rfay]

What you mean by "this"?

I was responding to your

FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory

It (might be) cool for the debsuryorg-archive-keyring.deb to do this cleanup?

[RaidOpe]

Even i ran sudo apt install debsuryorg-archive-keyring

it still showed up

Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease The following sign atures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury. org>

apt-key

pub   rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2026-02-04]

remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory.

THEN I exec sudo rm what you listed ......

E: Conflicting values set for option Signed-By regarding source https://packages.sury.org/php/ bookworm: /usr/share/keyrings/deb.sury.org-php.gpg != /usr/share/keyrings/suryphp-archive-keyring.gpg
E: The list of sources could not be read.

I guess I lost my apt

[oerdnj]

/usr/share/keyrings/suryphp-archive-keyring.gpg

where does this come from?

[krishadialpad]

Hi,
For
https://packages.sury.org/php/README.txt

${SUDO} apt-get update

shouldn't it be ${SUDO} apt-get update || true at first line?
because it's inducing error for key
Also can we delete the key from tmp folder after apt-get update?

[sandsjh]

I have tried sudo apt install debsuryorg-archive-keyring with no luck.

I have deleted everything sury I can find. find / -iname *sury* and reran the https://packages.sury.org/php/README.txt . I am still getting errors and used "https://packages.sury.org/php/README.txt" again (the bash file).

Err:8 https://packages.sury.org/apache2 bullseye InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Failed to fetch https://packages.sury.org/apache2/dists/bullseye/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Some index files failed to download. They have been ignored, or old ones used instead.

[oerdnj]

You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.

[sandsjh]

You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.

I have done so and got the following error. Even though rebooting is rarely required in Debian, I have done so and tried again.

`
root@azure:~/sh# wget https://packages.sury.org/debsuryorg-archive-keyring.deb
--2024-02-29 17:56:31-- https://packages.sury.org/debsuryorg-archive-keyring.deb
Resolving packages.sury.org (packages.sury.org)... 212.102.40.114
Connecting to packages.sury.org (packages.sury.org)|212.102.40.114|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4416 (4.3K) [application/octet-stream]
Saving to: ‘debsuryorg-archive-keyring.deb

debsuryorg-archive-keyring.deb 100%[=======================================================================================================================================>] 4.31K --.-KB/s in 0s

2024-02-29 17:56:32 (88.9 MB/s) - ‘debsuryorg-archive-keyring.deb’ saved [4416/4416]

root@azure:~/sh# dpkg -i debsuryorg-archive-keyring.deb
`

`
root@azure:~/sh# apt update
Hit:1 http://download.zerotier.com/debian/bullseye bullseye InRelease
Hit:2 http://debian-archive.trafficmanager.net/debian bullseye InRelease
Hit:3 http://debian-archive.trafficmanager.net/debian-security bullseye-security InRelease
Hit:4 http://debian-archive.trafficmanager.net/debian bullseye-updates InRelease
Hit:5 http://debian-archive.trafficmanager.net/debian bullseye-backports InRelease
Get:6 https://packages.sury.org/apache2 bullseye InRelease [7479 B]
Get:7 https://packages.sury.org/php bullseye InRelease [7551 B]
Ign:8 https://download.webmin.com/download/newkey/repository stable InRelease
Hit:9 https://download.webmin.com/download/newkey/repository stable Release
Get:11 https://pkgs.tailscale.com/stable/debian bullseye InRelease
Get:12 https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian bullseye InRelease [4634 B]
Err:6 https://packages.sury.org/apache2 bullseye InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org
Hit:13 https://nginx.org/packages/mainline/debian bullseye InRelease
Hit:10 https://packagecloud.io/ookla/speedtest-cli/debian bullseye InRelease
Hit:15 https://apt.hestiacp.com bullseye InRelease
Reading package lists... Done
W: GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org
E: The repository 'https://packages.sury.org/apache2 bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

`

[arnonuem]

Just added this to our build. All good. 👍

For reference, the full URL is https://packages.sury.org/debsuryorg-archive-keyring.deb. Here are my Ansible plays for this:

- name: apt | Add the deb.sury.org key(s) and repo
  tags: apt
  block:
    - name: apt | Remove old key
      ansible.builtin.file:
        path: /usr/share/keyrings/deb.sury.org-php.gpg
        state: absent

    - name: apt | Install the debsuryorg-archive-keyring.deb package
      ansible.builtin.apt:
        deb: https://packages.sury.org/debsuryorg-archive-keyring.deb

    - name: apt | Remove the old Sury PHP repo
      ansible.builtin.apt_repository:
        repo: deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main
        state: absent

    - name: apt | Add Sury PHP repo
      ansible.builtin.apt_repository:
        repo: deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main
        state: present

# Packages are now available to install.

@michizubi-SRF check out Ansible. Super helpful for stuff like this.

Thanks for the URL - i was doing dpkg -i on it and now all is back to normal again :)

[rfay]

@oerdnj do the install instructions need to be updated now that you've done a packaged install for the key? https://packages.sury.org/php/README.txt

[oerdnj]

@oerdnj do the install instructions need to be updated now that you've done a packaged install for the key? https://packages.sury.org/php/README.txt

The instructions are fine. Do you have any specific line on mind?

[rfay]

Ah, I see the debsuryorg-archive-keyring.deb is there. I just skimmed over it

#2074 (comment)

We will change the DDEV install technique in https://github.com/ddev/ddev/blob/5ec62754dcf86ffa6a6c3447e35d2e361eb1a349/containers/ddev-php-base/Dockerfile#L62-L63 to use debsuryorg-archive-keyring.deb

Does that help prevent future key expiration trouble?

[oerdnj]

Does that help prevent future key expiration trouble?

Yep, that was the whole point of introducing the package.

[gitwittidbit]

Hi,

I, too, ran into the problem with the expired gpg.key.

So I installed debsuryorg-archive-keyring as per the above advice.

But this doesn't change anything for me. I keep getting the error message about the signatures being invalid.

And after @RaidOpe's experience ("I guess I lost my apt"), I am a bit hesitant to delete files in my /etc/apt/trusted.gpg.d folder.

But even if I wanted to, there is only one sury-related file there: debsuryorg-archive.gpg

And it seems to be the new key.

But I still get the apt update error. So what to do now?

Thanks!

[4wk-]

I wanted to know what was doing the file debsuryorg-archive-keyring.deb listed in the README, so I ran:

dpkg -c debsuryorg-archive-keyring.deb
drwxr-xr-x root/root         0 2024-02-05 16:20 ./
drwxr-xr-x root/root         0 2024-02-05 16:20 ./etc/
drwxr-xr-x root/root         0 2024-02-05 16:20 ./etc/apt/
drwxr-xr-x root/root         0 2024-02-05 16:20 ./etc/apt/trusted.gpg.d/
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
drwxr-xr-x root/root         0 2024-02-05 16:20 ./usr/
drwxr-xr-x root/root         0 2024-02-05 16:20 ./usr/share/
drwxr-xr-x root/root         0 2024-02-05 16:20 ./usr/share/doc/
drwxr-xr-x root/root         0 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/
-rw-r--r-- root/root       468 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/changelog.gz
-rw-r--r-- root/root      1250 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/copyright
drwxr-xr-x root/root         0 2024-02-05 16:20 ./usr/share/keyrings/
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-apache2.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind-dev.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind-esv.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-nginx.gpg
-rw-r--r-- root/root      1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-php.gpg

Sorry if noob question, but why do we need to have all those gpg, if we only need to put [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] in our apt list file?

(I'm using Ansible too and this new method creates 10 files instead of the only one /usr/share/keyrings/deb.sury.org-php.gpg).

Thanks in advance.

[oerdnj]

There's a single package for all the repositories, and for the legacy system. It's not feasible to have a separate keyring package for each of the repositories.