Closed michizubi-SRF closed 7 months ago
Could you try installing debsuryorg-archive-keyring
package by hand for now?
I'll automate it later, but I need more people to confirm that installing that package works fine.
The key is used on a lot of machines. I'd rather not install that manually on all of them :)
The key is used on a lot of machines. I'd rather not install that manually on all of them :)
And I rather not break "a lot of machines" by automating something that will then need manual intervention, so I need confirmation that: apt install debsuryorg-archive-keyring
works as expected.
@oerdnj is apt install debsuryorg-archive-keyring
the new official technique? I don't see it showing up in https://packages.sury.org/php/README.txt
We'll need to do a release of DDEV so people will have the new key using the official technique, and it sounds like all apt updates will be broken before that?
Please give the full new suggested technique. Right now my testing is blocked by the intermittent
which is happening consistently right now. I'm absolutely not sure where that comes from and when it happens.
I am not sure yet about the bootstrapping. The apt.gpg
will still stay in the place. But I need a method to automatically update the keys.
I guess the primary request in this issue is to update the apt.gpg ASAP, that alone would solve things for me.
apt install debsuryorg-archive-keyring
works for me, but it may only be working after having installed the apt.gpg, and so that seems like a possible chicken-and-egg scenario? I'll test any from-scratch install that you propose.
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
---------------------------------------------
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
I’ll probably upload the keyring package to the repository root and update the instructions to install the deb by hand first.
I’ll keep the apt.gpg for the next 2 years.
This is quite urgent, right, as reported by the OP? Both techniques (but especially the traditional technique) need to work right away, or all apt update
on all machines that use deb.sury.org will be broken?
I see that the apt key has been updated, thank you very much.
Initial situation:
gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub rsa3072 2019-03-18 [E] [expires: 2024-02-16]
After curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
Can confirm that installing debsuryorg-archive-keyring
pulled the latest keyring versions:
$ ls -lha /usr/share/keyrings/deb.sury.org-*
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-apache2.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind-dev.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind-esv.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-nginx.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-php.gpg
$ gpg --list-options show-sig-expire /usr/share/keyrings/deb.sury.org-php.gpg
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
Thanks a lot for updating the key. This solves the issue for me for the moment.
Just added this to our build. All good. 👍
For reference, the full URL is https://packages.sury.org/debsuryorg-archive-keyring.deb
. Here are my Ansible plays for this:
- name: apt | Add the deb.sury.org key(s) and repo
tags: apt
block:
- name: apt | Remove old key
ansible.builtin.file:
path: /usr/share/keyrings/deb.sury.org-php.gpg
state: absent
- name: apt | Install the debsuryorg-archive-keyring.deb package
ansible.builtin.apt:
deb: https://packages.sury.org/debsuryorg-archive-keyring.deb
- name: apt | Remove the old Sury PHP repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main
state: absent
- name: apt | Add Sury PHP repo
ansible.builtin.apt_repository:
repo: deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main
state: present
# Packages are now available to install.
@michizubi-SRF check out Ansible. Super helpful for stuff like this.
@brenc Thanks for the hint :) We're using Puppet for all our servers.
Are there any plans to include/update/replace the PPA signing key as well?
If you updated recently, the new keyring package should have been installed.
Thanks for this thread, I can confirm that executing apt install debsuryorg-archive-keyring
has resolved the problem of expiring key
FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d
directory. The list of the installed keys from the debsuryorg-archive-keyring
package are:
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
/usr/share/keyrings/deb.sury.org-apache2.gpg
/usr/share/keyrings/deb.sury.org-bind-dev.gpg
/usr/share/keyrings/deb.sury.org-bind-esv.gpg
/usr/share/keyrings/deb.sury.org-bind.gpg
/usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
/usr/share/keyrings/deb.sury.org-nginx.gpg
/usr/share/keyrings/deb.sury.org-php.gpg
This should work for both old (using global keyring) and new installations (using signed-by=
in sources.list
).
Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?
I see that https://packages.sury.org/php/README.txt has been updated with the new approach, thanks
${SUDO} curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
${SUDO} dpkg -i /tmp/debsuryorg-archive-keyring.deb
Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?
What you mean by "this"?
What you mean by "this"?
I was responding to your
FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory
It (might be) cool for the debsuryorg-archive-keyring.deb to do this cleanup?
Even i ran sudo apt install debsuryorg-archive-keyring
it still showed up
Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease The following sign atures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury. org>
apt-key
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory.
THEN I exec sudo rm
what you listed ......
E: Conflicting values set for option Signed-By regarding source https://packages.sury.org/php/ bookworm: /usr/share/keyrings/deb.sury.org-php.gpg != /usr/share/keyrings/suryphp-archive-keyring.gpg
E: The list of sources could not be read.
I guess I lost my apt
/usr/share/keyrings/suryphp-archive-keyring.gpg
where does this come from?
Hi, For https://packages.sury.org/php/README.txt
${SUDO} apt-get update
shouldn't it be ${SUDO} apt-get update || true at first line? because it's inducing error for key Also can we delete the key from tmp folder after apt-get update?
I have tried sudo apt install debsuryorg-archive-keyring with no luck.
I have deleted everything sury I can find. find / -iname *sury*
and reran the https://packages.sury.org/php/README.txt . I am still getting errors and used "https://packages.sury.org/php/README.txt" again (the bash file).
Err:8 https://packages.sury.org/apache2 bullseye InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Failed to fetch https://packages.sury.org/apache2/dists/bullseye/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> W: Some index files failed to download. They have been ignored, or old ones used instead.
You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.
You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.
I have done so and got the following error. Even though rebooting is rarely required in Debian, I have done so and tried again.
` root@azure:~/sh# wget https://packages.sury.org/debsuryorg-archive-keyring.deb --2024-02-29 17:56:31-- https://packages.sury.org/debsuryorg-archive-keyring.deb Resolving packages.sury.org (packages.sury.org)... 212.102.40.114 Connecting to packages.sury.org (packages.sury.org)|212.102.40.114|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 4416 (4.3K) [application/octet-stream] Saving to: ‘debsuryorg-archive-keyring.deb
debsuryorg-archive-keyring.deb 100%[=======================================================================================================================================>] 4.31K --.-KB/s in 0s
2024-02-29 17:56:32 (88.9 MB/s) - ‘debsuryorg-archive-keyring.deb’ saved [4416/4416]
root@azure:~/sh# dpkg -i debsuryorg-archive-keyring.deb `
` root@azure:~/sh# apt update Hit:1 http://download.zerotier.com/debian/bullseye bullseye InRelease Hit:2 http://debian-archive.trafficmanager.net/debian bullseye InRelease Hit:3 http://debian-archive.trafficmanager.net/debian-security bullseye-security InRelease Hit:4 http://debian-archive.trafficmanager.net/debian bullseye-updates InRelease Hit:5 http://debian-archive.trafficmanager.net/debian bullseye-backports InRelease Get:6 https://packages.sury.org/apache2 bullseye InRelease [7479 B] Get:7 https://packages.sury.org/php bullseye InRelease [7551 B] Ign:8 https://download.webmin.com/download/newkey/repository stable InRelease Hit:9 https://download.webmin.com/download/newkey/repository stable Release Get:11 https://pkgs.tailscale.com/stable/debian bullseye InRelease Get:12 https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian bullseye InRelease [4634 B] Err:6 https://packages.sury.org/apache2 bullseye InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org Hit:13 https://nginx.org/packages/mainline/debian bullseye InRelease Hit:10 https://packagecloud.io/ookla/speedtest-cli/debian bullseye InRelease Hit:15 https://apt.hestiacp.com bullseye InRelease Reading package lists... Done W: GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key deb@sury.org E: The repository 'https://packages.sury.org/apache2 bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
`
Just added this to our build. All good. 👍
For reference, the full URL is
https://packages.sury.org/debsuryorg-archive-keyring.deb
. Here are my Ansible plays for this:- name: apt | Add the deb.sury.org key(s) and repo tags: apt block: - name: apt | Remove old key ansible.builtin.file: path: /usr/share/keyrings/deb.sury.org-php.gpg state: absent - name: apt | Install the debsuryorg-archive-keyring.deb package ansible.builtin.apt: deb: https://packages.sury.org/debsuryorg-archive-keyring.deb - name: apt | Remove the old Sury PHP repo ansible.builtin.apt_repository: repo: deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main state: absent - name: apt | Add Sury PHP repo ansible.builtin.apt_repository: repo: deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main state: present # Packages are now available to install.
@michizubi-SRF check out Ansible. Super helpful for stuff like this.
Thanks for the URL - i was doing dpkg -i on it and now all is back to normal again :)
@oerdnj do the install instructions need to be updated now that you've done a packaged install for the key? https://packages.sury.org/php/README.txt
@oerdnj do the install instructions need to be updated now that you've done a packaged install for the key? https://packages.sury.org/php/README.txt
The instructions are fine. Do you have any specific line on mind?
Ah, I see the debsuryorg-archive-keyring.deb is there. I just skimmed over it
https://github.com/oerdnj/deb.sury.org/issues/2074#issuecomment-1927285759
We will change the DDEV install technique in https://github.com/ddev/ddev/blob/5ec62754dcf86ffa6a6c3447e35d2e361eb1a349/containers/ddev-php-base/Dockerfile#L62-L63 to use debsuryorg-archive-keyring.deb
Does that help prevent future key expiration trouble?
Does that help prevent future key expiration trouble?
Yep, that was the whole point of introducing the package.
Hi,
I, too, ran into the problem with the expired gpg.key.
So I installed debsuryorg-archive-keyring as per the above advice.
But this doesn't change anything for me. I keep getting the error message about the signatures being invalid.
And after @RaidOpe's experience ("I guess I lost my apt"), I am a bit hesitant to delete files in my /etc/apt/trusted.gpg.d folder.
But even if I wanted to, there is only one sury-related file there: debsuryorg-archive.gpg
And it seems to be the new key.
But I still get the apt update error. So what to do now?
Thanks!
I wanted to know what was doing the file debsuryorg-archive-keyring.deb
listed in the README, so I ran:
dpkg -c debsuryorg-archive-keyring.deb
drwxr-xr-x root/root 0 2024-02-05 16:20 ./
drwxr-xr-x root/root 0 2024-02-05 16:20 ./etc/
drwxr-xr-x root/root 0 2024-02-05 16:20 ./etc/apt/
drwxr-xr-x root/root 0 2024-02-05 16:20 ./etc/apt/trusted.gpg.d/
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
drwxr-xr-x root/root 0 2024-02-05 16:20 ./usr/
drwxr-xr-x root/root 0 2024-02-05 16:20 ./usr/share/
drwxr-xr-x root/root 0 2024-02-05 16:20 ./usr/share/doc/
drwxr-xr-x root/root 0 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/
-rw-r--r-- root/root 468 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/changelog.gz
-rw-r--r-- root/root 1250 2024-02-05 16:20 ./usr/share/doc/debsuryorg-archive-keyring/copyright
drwxr-xr-x root/root 0 2024-02-05 16:20 ./usr/share/keyrings/
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-apache2.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind-dev.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind-esv.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-bind.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-nginx.gpg
-rw-r--r-- root/root 1769 2024-02-05 16:20 ./usr/share/keyrings/deb.sury.org-php.gpg
Sorry if noob question, but why do we need to have all those gpg, if we only need to put [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg]
in our apt list file?
(I'm using Ansible too and this new method creates 10 files instead of the only one /usr/share/keyrings/deb.sury.org-php.gpg
).
Thanks in advance.
There's a single package for all the repositories, and for the legacy system. It's not feasible to have a separate keyring package for each of the repositories.
Frequently asked questions
Describe the bug Apt key for the Debian package is expiring on 16.02.2024, see the following output:
To Reproduce Steps to reproduce the behavior:
Your understanding of what is happening The key should be updated to extend expiration
What steps did you take to resolve issue yourself before reporting it here See section "To Reproduce"
Expected behavior Key is not expiring in the next 2 weeks
Distribution (please complete the following information):