Debian packages.sury.org GPG Key Expiry

While updating some servers I ran into an issue when updating the available packages. These servers are using the third party repository packages.sury.org to get alternative PHP releases. The error was:

server myuser # apt update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster-backports InRelease [46.7 kB]
Hit:3 http://deb.debian.org/debian buster InRelease
...
Err:6 https://packages.sury.org/php buster InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Some sources suggested replacing the GPG key in /etc/apt/trusted.gpg.d/php.gpg:

rm /etc/apt/trusted.gpg.d/php.gpg
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
apt update

In my case this did not work because the /etc/apt/trusted.gpg.d/php.gpg file didn’t exist. This is because the keys were imported directly using apt-key by Puppet which adds them to a shared keyring.

To fix it the updated key just needs to be received by apt-key:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743

The key should be updated and the package source update should now be working:

server myuser # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743
Executing: /tmp/apt-key-gpghome.eZuFyt6jRw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743
gpg: key B188E2B695BD4743: "DEB.SURY.ORG Automatic Signing Key <deb@sury.org>" 2 new signatures
gpg: Total number processed: 1
gpg:         new signatures: 2
server myuser # apt update
Hit:1 http://security.debian.org/debian-security buster/updates InRelease
Get:2 https://packages.sury.org/php buster InRelease [6,823 B]
Hit:3 http://mirror.aarnet.edu.au/pub/MariaDB/repo/10.5/debian buster InRelease
Hit:4 http://deb.debian.org/debian buster-backports InRelease
Hit:5 http://deb.debian.org/debian buster InRelease
Hit:6 http://apt.puppetlabs.com buster InRelease
Hit:7 https://download.docker.com/linux/debian buster InRelease
Hit:8 http://deb.debian.org/debian buster-proposed-updates InRelease
Hit:9 https://nginx.org/packages/mainline/debian buster InRelease
Hit:10 http://deb.debian.org/debian buster-updates InRelease
Get:11 https://packages.sury.org/php buster/main amd64 Packages [316 kB]
Hit:12 http://ftp.au.debian.org/debian buster InRelease
Hit:13 http://ftp.au.debian.org/debian buster-updates InRelease
Fetched 323 kB in 3s (125 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
102 packages can be upgraded. Run 'apt list --upgradable' to see them.
server myuser #

Leave a Reply

Your email address will not be published.