- Исправление истекшего срока действия ключа public key для packages.sury.org на Debian 10 Buster.
- Debian packages.sury.org GPG Key Expiry
- Fixing invalid public key for packages.sury.org
- What if our Sury.org repository is not updated due to a GPG signing error on our Debian server?
- The symptom
- The solution
- Conclusion
Исправление истекшего срока действия ключа public key для packages.sury.org на Debian 10 Buster.
Нет доверия сертификату для «packages.sury.org». ОШИБКА: Срок действия сертификата «packages.sury.org» истёк.
apt-get update Hit:1 http://deb.debian.org/debian buster InRelease Hit:2 http://security.debian.org/debian-security buster/updates InRelease Hit:3 http://deb.debian.org/debian buster-updates InRelease Get:4 https://packages.sury.org/php buster InRelease [6837 B] Err:4 https://packages.sury.org/php buster InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 Hit:5 https://repo.zabbix.com/zabbix/5.4/debian buster InRelease Reading package lists. Done W: GPG error: https://packages.sury.org/php buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 E: The repository 'https://packages.sury.org/php buster InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
Чтобы это исправить, выполняем команды ниже:
sudo rm -rf /etc/apt/trusted.gpg.d/php.gpg sudo apt-key del B188E2B695BD4743 sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
Для проверки обновляем данные по репозиториям:
В случае если в ходе обновления ключей возникают ошибки, то скорей всего какой то из ниже пакетов отсутствует в системе:
apt-get install -y gnupg2 ca-certificates lsb-release apt-transport-https
Debian packages.sury.org GPG Key Expiry
While updating some servers I ran into an issue when updating the available packages. These servers are using the third party repository packages.sury.org to get alternative PHP releases. The error was:
server myuser # apt update Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB] Get:2 http://deb.debian.org/debian buster-backports InRelease [46.7 kB] Hit:3 http://deb.debian.org/debian buster InRelease . Err:6 https://packages.sury.org/php buster InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key . W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Some index files failed to download. They have been ignored, or old ones used instead.
Some sources suggested replacing the GPG key in /etc/apt/trusted.gpg.d/php.gpg :
rm /etc/apt/trusted.gpg.d/php.gpg wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg apt update
In my case this did not work because the /etc/apt/trusted.gpg.d/php.gpg file didn’t exist. This is because the keys were imported directly using apt-key by Puppet which adds them to a shared keyring.
To fix it the updated key just needs to be received by apt-key:
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743
The key should be updated and the package source update should now be working:
server myuser # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 Executing: /tmp/apt-key-gpghome.eZuFyt6jRw/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys B188E2B695BD4743 gpg: key B188E2B695BD4743: "DEB.SURY.ORG Automatic Signing Key " 2 new signatures gpg: Total number processed: 1 gpg: new signatures: 2 server myuser # apt update Hit:1 http://security.debian.org/debian-security buster/updates InRelease Get:2 https://packages.sury.org/php buster InRelease [6,823 B] Hit:3 http://mirror.aarnet.edu.au/pub/MariaDB/repo/10.5/debian buster InRelease Hit:4 http://deb.debian.org/debian buster-backports InRelease Hit:5 http://deb.debian.org/debian buster InRelease Hit:6 http://apt.puppetlabs.com buster InRelease Hit:7 https://download.docker.com/linux/debian buster InRelease Hit:8 http://deb.debian.org/debian buster-proposed-updates InRelease Hit:9 https://nginx.org/packages/mainline/debian buster InRelease Hit:10 http://deb.debian.org/debian buster-updates InRelease Get:11 https://packages.sury.org/php buster/main amd64 Packages [316 kB] Hit:12 http://ftp.au.debian.org/debian buster InRelease Hit:13 http://ftp.au.debian.org/debian buster-updates InRelease Fetched 323 kB in 3s (125 kB/s) Reading package lists. Done Building dependency tree Reading state information. Done 102 packages can be upgraded. Run 'apt list --upgradable' to see them. server myuser #
Fixing invalid public key for packages.sury.org
Update 21 March 2021 : there’s been a recent uptick in traffic to this page – the current problem everyone is having is due to an expired key. Read more in this deb.sury.org github issue.
Solution (Debian 10.8 Buster):
(comments in various places suggest removing the old key is crucial)
sudo apt-key del B188E2B695BD4743 sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
Useful command worth noting:
Original April 2019 blog post:
If you’re running Debian and using:
deb https://packages.sury.org/php/ stretch main
(it might be in /etc/apt/sources.list.d/php.list rather than the usual sources.list)
Err:5 https://packages.sury.org/php stretch InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 Reading package lists. Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743 W: Some index files failed to download. They have been ignored, or old ones used instead.
This isn’t widely blogged yet, however the best source of info is the Issue queue for the deb.sury.org GitHub repository – it turns out that in mid-March, the key for each repository on sury.org was regenerated due to a compromised server.
Here’s the command to download the new one, after which apt will work as expected.
What if our Sury.org repository is not updated due to a GPG signing error on our Debian server?
If unique PHP We use versions of our Debian server that are available from Sury.org in the trunk we update via then we have previously configured this repositorywhat worked before was APT he updated the packages from it without any problems. However, an update may cause an error in the package manager and you may not be able to access the latest packages. We will remedy this problem in this short troubleshooter.
The symptom
When rootissue the command to update the repository database on a Debian 10 (Buster) system:
then we get the following error or something like this:
Hiba:4 https://packages.sury.org/php buster InRelease Az alábbi aláírások érvénytelenek voltak: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key Csomaglisták olvasása. Kész W: Hiba történt az aláírás ellenőrzése közben. A tároló nem frissült, és az előző indexfájl lesz használva. GPG hiba: https://packages.sury.org/php buster InRelease: Az alábbi aláírások érvénytelenek voltak: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Sikertelen letöltés: https://packages.sury.org/php/dists/buster/InRelease Az alábbi aláírások érvénytelenek voltak: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key W: Néhány indexfájlt nem sikerült letölteni. Figyelmen kívül lettek hagyva, vagy régebbiek lettek felhasználva.
The solution
The signing key for the Sury.org DPA has changed, so we need to change it again. All you have to do is run one command as root:
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpgThen our boot databases are updated again:
Conclusion
If at any time the signature key of a repository changes, as it does now of the Sury.org repository, all you have to do is re-download the fresh GPG key and our repository database will be updated. This does not affect any of the Launchpad PPAs (on Ubuntu systems), only the Debian repositories.