search

oerdnj / deb.sury.org

Public bugreports for anything ppa:ondrej/*
825 stars 26 forks source link

Expired Debian key issue #1575

Closed waynedixon closed 2 years ago

waynedixon commented 3 years ago

After updating the deb.sury.org APT key, per the information on this page (https://www.patreon.com/posts/february-update-47617742) on Debian Stretch, I am receiving the following error:

Hit:5 https://packages.sury.org/php stretch InRelease
Err:5 https://packages.sury.org/php stretch InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org

I updated the APT key on another system, running Debian Buster, and that one worked fine. I also tried manually installing the updated apt.gpg file, and it still shows the same error. So, I think there may be an issue with the signature on the Debian Stretch InRelease file.

conter86 commented 3 years ago

Тоже самое 

  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
oerdnj commented 3 years ago

Use apt-key list to find the offending expired key, remove it and then add it again, it should look like this:

/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]
DerDanilo commented 3 years ago

The problem still seems to exist. Key was replaced by the updated one. No other key laying around.

Update: When adding the key from the ubuntu ppa to debian (buster) and removing the ubuntu packages sources, there is no issue downloading from the debian packages again.

Maybe this info is of help to fix this.

LC_ALL=C.UTF-8 add-apt-repository ppa:ondrej/php
rm /etc/apt/sources.list.d/ondrej-ubuntu-php-hirsute.list
apt update && apt upgrade
waynedixon commented 3 years ago

I checked mine, and there are no expired keys in my list.

NielsH commented 3 years ago

Same issue here during apt-get update:

Err:12 https://packages.sury.org/nginx-mainline stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Err:13 https://packages.sury.org/php stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

Appears fixed after re-downloading the gpg key:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]
themontyhouse commented 3 years ago

Same issue here during apt-get update:

Err:12 https://packages.sury.org/nginx-mainline stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Err:13 https://packages.sury.org/php stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

Appears fixed after re-downloading the gpg key:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

This fixed it for me wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg worked for me

stefanux commented 3 years ago

how delete old key (if "apt-key list" shows that the expired key is still in /etc/apt/trusted.gpg): apt-key del 95BD4743

import new keyring: wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

update package-list: apt-get update

waynedixon commented 3 years ago

I re-checked again, and there is a second copy of the expired key in a different location. @stefanux's answer is the solution. Even if you have downloaded the new key, it is best to follow @stefanux's steps. If you run as root, you may need to change the permissions on the downloaded file to 644 for it to be readable.

oerdnj commented 3 years ago

I have reopened the issue to prevent duplicates...

derjohn commented 3 years ago

Better Style, use apt-key add


apt-key del 95BD4743; wget -nv -O - "https://packages.sury.org/php/apt.gpg" | apt-key add -
oerdnj commented 3 years ago

Better Style, use apt-key add

Actually, not really better style:

$ apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
Extronic commented 3 years ago

Same issue here during apt-get update:

Err:12 https://packages.sury.org/nginx-mainline stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Err:13 https://packages.sury.org/php stretch InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

Appears fixed after re-downloading the gpg key:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

This fixed it for me too.

tauceti82 commented 3 years ago

I still cannot fix the error with the provided steps: deleted the key and reimported it with steps:

apt-key del B188E2B695BD4743 wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg apt-get update

but still getting:

Err:4 https://packages.sury.org/php buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

apt-key list: /etc/apt/trusted.gpg.d/php.gpg ------------------------------ pub rsa3072 2019-03-18 [SC] [expires: 2024-02-16] 1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743 uid [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org> sub rsa3072 2019-03-18 [E] [expires: 2024-02-16]

indigoxela commented 3 years ago

@tauceti82 are you deleting the wrong key?

The suggestion of @stefanux was:

apt-key del 95BD4743

(Then get the new one again.) That worked without any problems for me on several servers. (Many thanks for sharing the solution, BTW)

tauceti82 commented 3 years ago

@tauceti82 are you deleting the wrong key?

The suggestion of @stefanux was:

apt-key del 95BD4743

That worked without any problems for me on several servers. (Many thanks for sharing the solution, BTW)

I tried both...but the error points at key EXPKEYSIG B188E2B695BD4743 so I deleted this key. it is the same as 95BD4743 butonly the last 8 digits...so it shouldn't matter

indigoxela commented 3 years ago

@tauceti82

Your apt-key list output is truncated. It shows the new key. Does the full listing still contain the expired one?

tauceti82 commented 3 years ago

@tauceti82

Your apt-key list output is truncated. It shows the new key. Does the full listing still contain the expired one?

it only contains one entry for /etc/apt/trusted.gpg.d/php.gpg which I already posted

nboisteault commented 3 years ago

@tauceti82 I did : 

apt-key del B188E2B695BD4743
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

and it worked fine.

tauceti82 commented 3 years ago

@tauceti82 I did :

apt-key del B188E2B695BD4743
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

and it worked fine.

thats what I exactly described above what I did and still I get the error :(

oerdnj commented 3 years ago

Post the full apt-key list output.

oerdnj commented 3 years ago

For the next transition, I'll prepare something like debsuryorg-archive-keyring package, so the new trust period is updated automatically.

tauceti82 commented 3 years ago

Post the full apt-key list output.


--------------------
pub   rsa2048 2013-09-16 [SC]
      4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4
uid           [ unknown] Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
sub   rsa2048 2013-09-16 [E]

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid           [ unknown] Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]
Jdogzz commented 3 years ago

I can confirm the same behavior that @tauceti82 is experiencing on my end. I have followed every set of instructions in this thread, including verifying the permissions of the file /etc/apt/trusted.gpg.d/php.gpg as noted in @waynedixon 's response to @stefanux 's solution, and made sure to try rebooting, and no dice. My key file output is as follows after all the instructions:

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid           [ unknown] Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

The apt-get update results in the same:

Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://security.debian.org buster/updates InRelease                                                                        
Hit:3 https://packages.sury.org/php buster InRelease                                                                             
Ign:4 http://archive.turnkeylinux.org/debian buster-security InRelease
Err:3 https://packages.sury.org/php buster InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Ign:5 http://archive.turnkeylinux.org/debian buster InRelease
Hit:6 http://archive.turnkeylinux.org/debian buster-security Release
Hit:8 http://archive.turnkeylinux.org/debian buster Release
Reading package lists... Done                             
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Adi-18 commented 3 years ago

Same for me. There is no expired key in apt-key list but get the same error.

oerdnj commented 3 years ago

Has anyone tried removing the key and then listing the active keys? It could be that the new key is masking the expired one, but then apt sees the expired key first.

tauceti82 commented 3 years ago

Has anyone tried removing the key and then listing the active keys? It could be that the new key is masking the expired one, but then apt sees the expired key first.

I removed the key via apt-key del and it was deleted meaning it was not listed in apt-key list and then loaded it again... did not work. BTW what does this [E] mean??? It is not there in other keys...

03-18 [E] [expires:

Adi-18 commented 3 years ago

Yes I tried it with no success.

Jdogzz commented 3 years ago

@oerdnj: Since @waynedixon commented that the expired key had been found in a second location I made sure to check my list after removing the expired key but before downloading the new one. It is not listed:

/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
uid           [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2019-04-14 [SC] [expires: 2027-04-12]
      5E61 B217 265D A980 7A23  C5FF 4DFA B270 CAA9 6DFA
uid           [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
sub   rsa4096 2019-04-14 [S] [expires: 2027-04-12]

/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
-------------------------------------------------------
pub   rsa4096 2019-02-05 [SC] [expires: 2027-02-03]
      6D33 866E DD8F FA41 C014  3AED DCC9 EFBF 77E1 1517
uid           [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid           [ unknown] Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
-----------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
--------------------------------------------------------------------
pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]

/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
--------------------------------------------------------
pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

After that output, I again downloaded the new one, double-checked that it added the entry

/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

to the end of the list, and ran apt-get update, but it errored out as I posted above.

Adi-18 commented 3 years ago

I have 3 independent system. If I first delete the key consequently and then add new key it works.

But if I just update the key (as often described on internet), I run into that problem.

tauceti82 commented 3 years ago

I have 3 independent system.

If I first delete the key consequently and then add new key it works.

But if I just update the key (as often described on internet), I run into that problem.

Thanks for analyzing. Can you somehow fix it afterwards?

oerdnj commented 3 years ago

I have 3 independent system.

If I first delete the key consequently and then add new key it works.

But if I just update the key (as often described on internet), I run into that problem.

Thanks for analyzing. Can you somehow fix it afterwards?

It seems like some bug in apt.

Perhaps removing the key, updating the apt (apt update) and then adding key might help?

The apt update should give you different error than expired signature key. If it doesn't you know there's key somewhere in the system.

Have you manually checked the /etc/apt/trusted.gpg.d/ for any cruft?

Also try running gpg --no-default-keyring --keyring /etc/apt/trusted.gpg --list-keys and then for every file in aforementioned directory?

oerdnj commented 3 years ago

for f in /etc/apt/trusted.gpg.d/*; do gpg --no-default-keyring --keyring "$f" --list-keys; done

tauceti82 commented 3 years ago

for f in /etc/apt/trusted.gpg.d/*; do gpg --no-default-keyring --keyring "$f" --list-keys; done

What does this do exactly?? Ok I die it and it listed the keys...


...
etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      15058500A0235D97F5D10063B188E2B695BD4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

/etc/apt/trusted.gpg.d/php.gpg~
-------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      15058500A0235D97F5D10063B188E2B695BD4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]
GhostLyrics commented 3 years ago

for f in /etc/apt/trusted.gpg.d/*; do gpg --no-default-keyring --keyring "$f" --list-keys; done

What does this do exactly?? Anyway I did in the console but it didn't work

Snippet translation:

for every file (=keyring) found in /etc/apt/trusted.gpg.d/
  list all keys excluding the ones from the default keyring
  1. If you want help, supply (copy & paste) the output of a command you are provided with, not just "did not work". To use a metaphor, you also tell the doctor your symptoms if you are hurt in order for them to help you. [However, I see you edited your reply. Sorry I came across a bit too strong. 😓 ]
  2. In general, it is adviceable not to run things you don't know what they are doing - In this case it's a bit less dangerous because oerdnj is the author of this repo/software, so if you're using the software you're already trusting them.
  3. You can always copy & paste things you do not understand into https://explainshell.com - it is a bit outdated but extremely helpful for users of all levels of skills. 👍
oerdnj commented 3 years ago

The question isn't whether it listed the correct keys, but whether it also listed something else that should not be there.

What I am saying is that you should carefully review all the files and all the keys and remove stuff that should not be there.

I am quite sure that there's some forgotten file that still list the old key and it is causing problems.

I would try removing the php.gpg file and then listing the keys again if something shows up.

It is a local configuration problem and you are the only one who can solve it, we can't administer your installation for you.

tauceti82 commented 3 years ago

The question isn't whether it listed the correct keys, but whether it also listed something else that should not be there.

What I am saying is that you should carefully review all the files and all the keys and remove stuff that should not be there.

I am quite sure that there's some forgotten file that still list the old key and it is causing problems.

I would try removing the php.gpg file and then listing the keys again if something shows up.

It is a local configuration problem and you are the only one who can solve it, we can't administer your installation for you.

Yes I also think that somewhere is a reference to the old key or some bug in apt. If anyone also affected by the problem could get it to work please Post here. I will continue looking...

oerdnj commented 3 years ago

Is there /etc/apt/trusted.gpg on your system and what keys it contains?

What's output of ls -l /etc/apt/trusted.gpg.d/?

tauceti82 commented 3 years ago

Is there /etc/apt/trusted.gpg on your system and what keys it contains?

What's output of ls -l /etc/apt/trusted.gpg.d/?


gpg --no-default-keyring --keyring /etc/apt/trusted.gpg --list-keys
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2013-09-16 [SC]
      46095ACC8548582C1A2699A9D27D666CD88E42B4
uid           [ unknown] Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
sub   rsa2048 2013-09-16 [E]

~$ ls -l /etc/apt/trusted.gpg.d/
total 68
-rw-r--r-- 1 root root 8132 Apr 23  2019 debian-archive-buster-automatic.gpg
-rw-r--r-- 1 root root 8141 Apr 23  2019 debian-archive-buster-security-automatic.gpg
-rw-r--r-- 1 root root 2332 Apr 23  2019 debian-archive-buster-stable.gpg
-rw-r--r-- 1 root root 5106 Apr 23  2019 debian-archive-jessie-automatic.gpg
-rw-r--r-- 1 root root 5115 Apr 23  2019 debian-archive-jessie-security-automatic.gpg
-rw-r--r-- 1 root root 2763 Apr 23  2019 debian-archive-jessie-stable.gpg
-rw-r--r-- 1 root root 7443 Apr 23  2019 debian-archive-stretch-automatic.gpg-rw-r--r-- 1 root root 7452 Apr 23  2019 debian-archive-stretch-security-automatic.gpg
-rw-r--r-- 1 root root 2263 Apr 23  2019 debian-archive-stretch-stable.gpg
-rw-r--r-- 1 root root 1769 Feb 16 09:43 php.gpg
-rw-r--r-- 1 root root 1769 Feb 16 09:43 php.gpg~
oerdnj commented 3 years ago

And what happens if you remove both php.gpg and php.gpg~ and then do apt update?

oerdnj commented 3 years ago

Could you try running apt-key update? The command is deprecated, but perhaps on old system, it could do maintenance on the keyrings...

tauceti82 commented 3 years ago

And what happens if you remove both php.gpg and php.gpg~ and then do apt update?

I already did. When removing the keys apt Update complains that the key could not be found.

oerdnj commented 3 years ago

This is really a wild shot, but is your time and date correct on the affected machine?

tauceti82 commented 3 years ago

This is really a wild shot, but is your time and date correct on the affected machine?

Yup. Of course checked that also!

oerdnj commented 3 years ago

There's no "of course" when debugging... ;)

But I am a loss...

Do you have the same checksum on the file?

curl -sSL https://packages.sury.org/php/apt.gpg |sha256sum
b3ea944563435e54bb64f181ee8bc26200985d09164cdc4c1702fc3ef051f19d  -
tauceti82 commented 3 years ago

There's no "of course" when debugging... ;)

But I am a loss...

Do you have the same checksum on the file?

curl -sSL https://packages.sury.org/php/apt.gpg |sha256sum
b3ea944563435e54bb64f181ee8bc26200985d09164cdc4c1702fc3ef051f19d  -

Yes it has the same checksum. What about the others who also had this problem? Could you fix it?

derjohn commented 3 years ago

:shrug: Basically I deleted the old key and added the new one. That worked. Could it be that you use some cache or proxy that still has old signatures?

Jdogzz commented 3 years ago

I still haven't fixed it, but I've found a place where the problem seems to be reproducible with bare minimum configuring for anyone wanting a direct way to see it. I downloaded the VM for Nextcloud V 16.0 ( https://www.turnkeylinux.org/nextcloud ) went through the password configuring process, and immediately found the same behavior when doing apt update afterwards. Following the steps above for fixing the key did not fix the problem. I will cross-post an issue in their bug tracker.

Jdogzz commented 3 years ago

Ah, I spoke too soon. I was able to fix it in my case and it did turn out to be a key source that apt-key list wasn't listing. As discussed on this page on the Turnkey forums ( https://www.turnkeylinux.org/forum/support/fri-20190329-1841/when-updating-vm-nextcloud-v-151-error ), they store the key at the location /usr/share/keyrings/php-sury.org.gpg . Following the steps outlined on that post fixed the issue for me, essentially identical to the solutions already described here but with replacing the key file at its other location.

oerdnj commented 3 years ago

Yeah, that was going to be my next suggestion - use strace to look at all the files apt get opens.

tauceti82 commented 3 years ago

Ah, I spoke too soon. I was able to fix it in my case and it did turn out to be a key source that apt-key list wasn't listing. As discussed on this page on the Turnkey forums ( https://www.turnkeylinux.org/forum/support/fri-20190329-1841/when-updating-vm-nextcloud-v-151-error ), they store the key at the location /usr/share/keyrings/php-sury.org.gpg . Following the steps outlined on that post fixed the issue for me, essentially identical to the solutions already described here but with replacing the key file at its other location.

Omg you rock! I also use a turnkey Nextcloud image!!! I will check this ASAP!