While updating some servers I ran into an issue when updating the available packages. These servers are using the third party repository packages.sury.org to get alternative PHP releases. The error was:
server myuser # apt update Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB] Get:2 http://deb.debian.org/debian buster-backports InRelease [46.7 kB] Hit:3 http://deb.debian.org/debian buster InRelease ... Err:6 https://packages.sury.org/php buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> ... W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Some index files failed to download. They have been ignored, or old ones used instead.
Some sources suggested replacing the GPG key in /etc/apt/trusted.gpg.d/php.gpg:
rm /etc/apt/trusted.gpg.d/php.gpg wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg apt update
- [SOLVED] The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key
- [SOLVED] PHP apt key expired error
In my case this did not work because the /etc/apt/trusted.gpg.d/php.gpg file didn’t exist. This is because the keys were imported directly using apt-key by Puppet which adds them to a shared keyring.
To fix it the updated key just needs to be received by apt-key:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743
The key should be updated and the package source update should now be working:
server myuser # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 Executing: /tmp/apt-key-gpghome.eZuFyt6jRw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 gpg: key B188E2B695BD4743: "DEB.SURY.ORG Automatic Signing Key <deb@sury.org>" 2 new signatures gpg: Total number processed: 1 gpg: new signatures: 2 server myuser # apt update Hit:1 http://security.debian.org/debian-security buster/updates InRelease Get:2 https://packages.sury.org/php buster InRelease [6,823 B] Hit:3 http://mirror.aarnet.edu.au/pub/MariaDB/repo/10.5/debian buster InRelease Hit:4 http://deb.debian.org/debian buster-backports InRelease Hit:5 http://deb.debian.org/debian buster InRelease Hit:6 http://apt.puppetlabs.com buster InRelease Hit:7 https://download.docker.com/linux/debian buster InRelease Hit:8 http://deb.debian.org/debian buster-proposed-updates InRelease Hit:9 https://nginx.org/packages/mainline/debian buster InRelease Hit:10 http://deb.debian.org/debian buster-updates InRelease Get:11 https://packages.sury.org/php buster/main amd64 Packages [316 kB] Hit:12 http://ftp.au.debian.org/debian buster InRelease Hit:13 http://ftp.au.debian.org/debian buster-updates InRelease Fetched 323 kB in 3s (125 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 102 packages can be upgraded. Run 'apt list --upgradable' to see them. server myuser #
One thought on “Debian packages.sury.org GPG Key Expiry”
thank you!