Expired Debian key issue

[waynedixon]

After updating the deb.sury.org APT key, per the information on this page (https://www.patreon.com/posts/february-update-47617742) on Debian Stretch, I am receiving the following error:

Hit:5 https://packages.sury.org/php stretch InRelease
Err:5 https://packages.sury.org/php stretch InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org

I updated the APT key on another system, running Debian Buster, and that one worked fine. I also tried manually installing the updated apt.gpg file, and it still shows the same error. So, I think there may be an issue with the signature on the Debian Stretch InRelease file.

[Adi-18]

Yeah,

wget -O /usr/share/keyrings/php-sury.org.gpg https://packages.sury.org/php/apt.gpg

did the trick for me.

[tauceti82]

Yeah,

wget -O /usr/share/keyrings/php-sury.org.gpg https://packages.sury.org/php/apt.gpg

did the trick for me.

Yes thank you!!! It also worked for me. Damn that was really hard because it isn't listed with apt-key list. Don't know why turnkey uses different locations. Thanks everyone and especially Ondrej!!!

[DerDanilo]

@tauceti82 I did :

apt-key del B188E2B695BD4743
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

and it worked fine.

This one works on stretch. Didn't on Buster (for me). Weird.

[tauceti82]

@tauceti82 I did :

apt-key del B188E2B695BD4743

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

and it worked fine.

This one works on stretch. Didn't on Buster (for me). Weird.

From the linked turnkey forum Post use this to find out where the pgp key is linked:

You can use grep to check for both the existence of sury.org in the sources.lists and whether or not it's locked to the specific key file, using grep. I.e.:

grep -r sury.org /etc/apt/sources.list*

[vrubiolo]

Just wanted to let you know that I had the same issue on a Gandi VPS Stretch image and that removing the key and adding it back as suggested here worked for me (adapting the key path to what I had of course).

Expired key shown via apt-key:

/etc/apt/trusted.gpg.d/extra_php_version.gpg
--------------------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

edit: fixed typos

[OverlordDvlp]

on my side I have do this : wget -O /usr/share/keyrings/php-sury.org.gpg https://packages.sury.org/php/apt.gpg as the content of my repo is:

# DEB.SURY.ORG repo for php

deb [signed-by=/usr/share/keyrings/php-sury.org.gpg] https://packages.sury.org/php/ buster main

And it work fine. Im based on LXC turnkey nextcloud on proxmox environment,

[wdseelig]

I think I'm in a catch 22 here. I am trying to create a Docker image and find that I cannot RUN apt-get update because of this key issue. I need to run wget in order to get the new key, but I can't install wget until I run apt-get update. Any suggestions?

[oerdnj]

You know you can copy local files to the image?

[wdseelig]

Thanks for this. Yes, I know I can copy local files to the image, but I also need to install packages into the image and think I need to be able to run apt-get in order to do that?

[wdseelig]

I can run wget on my Mac to get one of the keys described in the comments above, but then I would have to figure out a way to pass that to apt-get, wouldn't I?

[wdseelig]

To be clear about this, I cannot, while doing a Docker build, even execute a RUN apt-get update command because of this key error, and I cannot install wget in order to implement any of the proposed fixes above without running apt-get update.

[wdseelig]

Finally figured this out and am posting this to help anybody else with similar issues.

1. Navigated to the link above: https://packages.sury.org/php/apt.gpg
2. This downloaded a file apt.gpg
3. Renamed this file GoodKey.gpg
4. Copied GoodKey.gpg into the directory containing the Dockerfile that I'm using to build my image
5. Added a COPY command in my Dockerfile to put GoodKey.gpg into my container
6. Modified my Dockerfile RUN command as follows: RUN apt-key del B188E2B695BD4743 \ && apt-key add GoodKey.gpg \ && apt-get update -yqq \ ... the rest of my apt-get install commands
7. and that pretty much did it.

Thanks to oerdnj for the hint about copying files into the container.