- Saved searches
- Use saved searches to filter your results more quickly
- [Debian] Apt no longer recognises PGP key since its moved to /usr/share/keyrings/deb.sury.org-php.gpg #1802
- [Debian] Apt no longer recognises PGP key since its moved to /usr/share/keyrings/deb.sury.org-php.gpg #1802
- Comments
- Исправление истекшего срока действия ключа public key для packages.sury.org на Debian 10 Buster.
- Fixing invalid public key for packages.sury.org
- Debian packages.sury.org GPG Key Expiry
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Debian] Apt no longer recognises PGP key since its moved to /usr/share/keyrings/deb.sury.org-php.gpg #1802
[Debian] Apt no longer recognises PGP key since its moved to /usr/share/keyrings/deb.sury.org-php.gpg #1802
Comments
Since the PGP key for the Debian repository (packages.sury.org) has moved to «/usr/share/keyrings/deb.sury.org-php.gpg» it no longer seems to be recognised. This is for Debian Buster on amd64.
I’ve re-run the installer script and removed the old key from «/etc/apt/trusted.gpg.d/php.gpg» but get the usual rejection from Apt:
W: GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 E: The repository 'https://packages.sury.org/php bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. The PGP key is definitely at the new location:
# sha256sum /usr/share/keyrings/deb.sury.org-php.gpg b3ea944563435e54bb64f181ee8bc26200985d09164cdc4c1702fc3ef051f19d /usr/share/keyrings/deb.sury.org-php.gpg # gpg -v /usr/share/keyrings/deb.sury.org-php.gpg gpg: WARNING: no command supplied. Trying to guess what you mean . pub rsa3072 2019-03-18 [SC] [expires: 2024-02-16] 15058500A0235D97F5D10063B188E2B695BD4743 uid DEB.SURY.ORG Automatic Signing Key sig B188E2B695BD4743 2021-02-16 [selfsig] sub rsa3072 2019-03-18 [E] [expires: 2024-02-16] sig B188E2B695BD4743 2021-02-16 Ошибка gpg https packages sury org php The Apt sources file also definitely refers to it:
# cat /etc/apt/sources.list.d/php.list deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bullseye main The text was updated successfully, but these errors were encountered:
Исправление истекшего срока действия ключа public key для packages.sury.org на Debian 10 Buster.
Нет доверия сертификату для «packages.sury.org». ОШИБКА: Срок действия сертификата «packages.sury.org» истёк.
apt-get update Hit:1 http://deb.debian.org/debian buster InRelease Hit:2 http://security.debian.org/debian-security buster/updates InRelease Hit:3 http://deb.debian.org/debian buster-updates InRelease Get:4 https://packages.sury.org/php buster InRelease [6837 B] Err:4 https://packages.sury.org/php buster InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 Hit:5 https://repo.zabbix.com/zabbix/5.4/debian buster InRelease Reading package lists. Done W: GPG error: https://packages.sury.org/php buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 E: The repository 'https://packages.sury.org/php buster InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
Чтобы это исправить, выполняем команды ниже:
sudo rm -rf /etc/apt/trusted.gpg.d/php.gpg sudo apt-key del B188E2B695BD4743 sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
Для проверки обновляем данные по репозиториям:
В случае если в ходе обновления ключей возникают ошибки, то скорей всего какой то из ниже пакетов отсутствует в системе:
apt-get install -y gnupg2 ca-certificates lsb-release apt-transport-https
ПОНРАВИЛАСЬ ИЛИ ОКАЗАЛАСЬ ПОЛЕЗНОЙ СТАТЬЯ, ПОБЛАГОДАРИ АВТОРА
Fixing invalid public key for packages.sury.org
Update 21 March 2021 : there’s been a recent uptick in traffic to this page – the current problem everyone is having is due to an expired key. Read more in this deb.sury.org github issue.
Solution (Debian 10.8 Buster):
(comments in various places suggest removing the old key is crucial)
sudo apt-key del B188E2B695BD4743 sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
Useful command worth noting:
Original April 2019 blog post:
If you’re running Debian and using:
deb https://packages.sury.org/php/ stretch main
(it might be in /etc/apt/sources.list.d/php.list rather than the usual sources.list)
Err:5 https://packages.sury.org/php stretch InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 Reading package lists. Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 W: Some index files failed to download. They have been ignored, or old ones used instead.
This isn’t widely blogged yet, however the best source of info is the Issue queue for the deb.sury.org GitHub repository – it turns out that in mid-March, the key for each repository on sury.org was regenerated due to a compromised server.
Here’s the command to download the new one, after which apt will work as expected.
Debian packages.sury.org GPG Key Expiry
While updating some servers I ran into an issue when updating the available packages. These servers are using the third party repository packages.sury.org to get alternative PHP releases. The error was:
server myuser # apt update Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB] Get:2 http://deb.debian.org/debian buster-backports InRelease [46.7 kB] Hit:3 http://deb.debian.org/debian buster InRelease . Err:6 https://packages.sury.org/php buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key . W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Some index files failed to download. They have been ignored, or old ones used instead.
Some sources suggested replacing the GPG key in /etc/apt/trusted.gpg.d/php.gpg :
rm /etc/apt/trusted.gpg.d/php.gpg wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg apt update
In my case this did not work because the /etc/apt/trusted.gpg.d/php.gpg file didn’t exist. This is because the keys were imported directly using apt-key by Puppet which adds them to a shared keyring.
To fix it the updated key just needs to be received by apt-key:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743
The key should be updated and the package source update should now be working:
server myuser # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 Executing: /tmp/apt-key-gpghome.eZuFyt6jRw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 gpg: key B188E2B695BD4743: "DEB.SURY.ORG Automatic Signing Key " 2 new signatures gpg: Total number processed: 1 gpg: new signatures: 2 server myuser # apt update Hit:1 http://security.debian.org/debian-security buster/updates InRelease Get:2 https://packages.sury.org/php buster InRelease [6,823 B] Hit:3 http://mirror.aarnet.edu.au/pub/MariaDB/repo/10.5/debian buster InRelease Hit:4 http://deb.debian.org/debian buster-backports InRelease Hit:5 http://deb.debian.org/debian buster InRelease Hit:6 http://apt.puppetlabs.com buster InRelease Hit:7 https://download.docker.com/linux/debian buster InRelease Hit:8 http://deb.debian.org/debian buster-proposed-updates InRelease Hit:9 https://nginx.org/packages/mainline/debian buster InRelease Hit:10 http://deb.debian.org/debian buster-updates InRelease Get:11 https://packages.sury.org/php buster/main amd64 Packages [316 kB] Hit:12 http://ftp.au.debian.org/debian buster InRelease Hit:13 http://ftp.au.debian.org/debian buster-updates InRelease Fetched 323 kB in 3s (125 kB/s) Reading package lists. Done Building dependency tree Reading state information. Done 102 packages can be upgraded. Run 'apt list --upgradable' to see them. server myuser #