Comments (26)
rfay
commented on June 30, 2024
5
I see that the apt key has been updated, thank you very much.
Initial situation:
gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <[email protected]>
sub rsa3072 2019-03-18 [E] [expires: 2024-02-16]
After curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
gpg --list-options show-sig-expire deb.sury.org-php.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <[email protected]>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
from deb.sury.org.
bcremer
commented on June 30, 2024
1
Can confirm that installing debsuryorg-archive-keyring pulled the latest keyring versions:
$ ls -lha /usr/share/keyrings/deb.sury.org-*
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-apache2.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind-dev.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind-esv.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-bind.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-nginx.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
-rw-r--r-- 1 root root 1,8K Feb 5 16:20 /usr/share/keyrings/deb.sury.org-php.gpg
$ gpg --list-options show-sig-expire /usr/share/keyrings/deb.sury.org-php.gpg
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
15058500A0235D97F5D10063B188E2B695BD4743
uid DEB.SURY.ORG Automatic Signing Key <[email protected]>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
from deb.sury.org.
michizubi-SRF
commented on June 30, 2024
1
@brenc Thanks for the hint :) We're using Puppet for all our servers.
from deb.sury.org.
oerdnj
commented on June 30, 2024
Could you try installing debsuryorg-archive-keyring package by hand for now?
I'll automate it later, but I need more people to confirm that installing that package works fine.
from deb.sury.org.
michizubi-SRF
commented on June 30, 2024
The key is used on a lot of machines.
I'd rather not install that manually on all of them :)
from deb.sury.org.
oerdnj
commented on June 30, 2024
The key is used on a lot of machines. I'd rather not install that manually on all of them :)
And I rather not break "a lot of machines" by automating something that will then need manual intervention, so I need confirmation that: apt install debsuryorg-archive-keyring works as expected.
from deb.sury.org.
rfay
commented on June 30, 2024
@oerdnj is apt install debsuryorg-archive-keyring the new official technique? I don't see it showing up in https://packages.sury.org/php/README.txt
We'll need to do a release of DDEV so people will have the new key using the official technique, and it sounds like all apt updates will be broken before that?
Please give the full new suggested technique. Right now my testing is blocked by the intermittent
which is happening consistently right now. I'm absolutely not sure where that comes from and when it happens.
from deb.sury.org.
oerdnj
commented on June 30, 2024
I am not sure yet about the bootstrapping. The apt.gpg will still stay in the place. But I need a method to automatically update the keys.
from deb.sury.org.
rfay
commented on June 30, 2024
I guess the primary request in this issue is to update the apt.gpg ASAP, that alone would solve things for me.
apt install debsuryorg-archive-keyring works for me, but it may only be working after having installed the apt.gpg, and so that seems like a possible chicken-and-egg scenario? I'll test any from-scratch install that you propose.
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
---------------------------------------------
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key <[email protected]>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
from deb.sury.org.
oerdnj
commented on June 30, 2024
I’ll probably upload the keyring package to the repository root and update the instructions to install the deb by hand first.
I’ll keep the apt.gpg for the next 2 years.
from deb.sury.org.
rfay
commented on June 30, 2024
This is quite urgent, right, as reported by the OP? Both techniques (but especially the traditional technique) need to work right away, or all apt update on all machines that use deb.sury.org will be broken?
from deb.sury.org.
michizubi-SRF
commented on June 30, 2024
Thanks a lot for updating the key.
This solves the issue for me for the moment.
from deb.sury.org.
brenc
commented on June 30, 2024
Just added this to our build. All good. 👍
For reference, the full URL is https://packages.sury.org/debsuryorg-archive-keyring.deb. Here are my Ansible plays for this:
- name: apt | Add the deb.sury.org key(s) and repo
tags: apt
block:
- name: apt | Remove old key
ansible.builtin.file:
path: /usr/share/keyrings/deb.sury.org-php.gpg
state: absent
- name: apt | Install the debsuryorg-archive-keyring.deb package
ansible.builtin.apt:
deb: https://packages.sury.org/debsuryorg-archive-keyring.deb
- name: apt | Remove the old Sury PHP repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main
state: absent
- name: apt | Add Sury PHP repo
ansible.builtin.apt_repository:
repo: deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main
state: present
# Packages are now available to install.@michizubi-SRF check out Ansible. Super helpful for stuff like this.
from deb.sury.org.
hardfalcon
commented on June 30, 2024
Are there any plans to include/update/replace the PPA signing key as well?
from deb.sury.org.
oerdnj
commented on June 30, 2024
If you updated recently, the new keyring package should have been installed.
from deb.sury.org.
aerogus
commented on June 30, 2024
Thanks for this thread, I can confirm that executing apt install debsuryorg-archive-keyring has resolved the problem of expiring key
from deb.sury.org.
oerdnj
commented on June 30, 2024
FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory. The list of the installed keys from the debsuryorg-archive-keyring package are:
/etc/apt/trusted.gpg.d/debsuryorg-archive.gpg
/usr/share/keyrings/deb.sury.org-apache2.gpg
/usr/share/keyrings/deb.sury.org-bind-dev.gpg
/usr/share/keyrings/deb.sury.org-bind-esv.gpg
/usr/share/keyrings/deb.sury.org-bind.gpg
/usr/share/keyrings/deb.sury.org-nginx-mainline.gpg
/usr/share/keyrings/deb.sury.org-nginx.gpg
/usr/share/keyrings/deb.sury.org-php.gpg
This should work for both old (using global keyring) and new installations (using signed-by= in sources.list).
from deb.sury.org.
rfay
commented on June 30, 2024
Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?
I see that https://packages.sury.org/php/README.txt has been updated with the new approach, thanks
${SUDO} curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
${SUDO} dpkg -i /tmp/debsuryorg-archive-keyring.deb
from deb.sury.org.
oerdnj
commented on June 30, 2024
Agreed, would this be implemented in the debsuryorg-archive-keyring.deb ?
What you mean by "this"?
from deb.sury.org.
rfay
commented on June 30, 2024
What you mean by "this"?
I was responding to your
FTR it might be required to remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory
It (might be) cool for the debsuryorg-archive-keyring.deb to do this cleanup?
from deb.sury.org.
RaidOpe
commented on June 30, 2024
Even i ran sudo apt install debsuryorg-archive-keyring
it still showed up
Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease The following sign atures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury. org>
apt-key
pub rsa3072 2019-03-18 [SC] [expires: 2026-02-04]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key <[email protected]>
sub rsa3072 2019-03-18 [E] [expires: 2026-02-04]
remove the old (expired) key out of the /etc/apt/trusted.gpg.d directory.
THEN I exec sudo rm what you listed ......
E: Conflicting values set for option Signed-By regarding source https://packages.sury.org/php/ bookworm: /usr/share/keyrings/deb.sury.org-php.gpg != /usr/share/keyrings/suryphp-archive-keyring.gpg
E: The list of sources could not be read.
I guess I lost my apt
from deb.sury.org.
oerdnj
commented on June 30, 2024
/usr/share/keyrings/suryphp-archive-keyring.gpg
where does this come from?
from deb.sury.org.
krishadialpad
commented on June 30, 2024
Hi,
For
https://packages.sury.org/php/README.txt
${SUDO} apt-get update
shouldn't it be ${SUDO} apt-get update || true at first line?
because it's inducing error for key
Also can we delete the key from tmp folder after apt-get update?
from deb.sury.org.
sandsjh
commented on June 30, 2024
I have tried sudo apt install debsuryorg-archive-keyring with no luck.
I have deleted everything sury I can find. find / -iname *sury* and reran the https://packages.sury.org/php/README.txt . I am still getting errors and used "https://packages.sury.org/php/README.txt" again (the bash file).
Err:8 https://packages.sury.org/apache2 bullseye InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
All packages are up to date. W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]> W: Failed to fetch https://packages.sury.org/apache2/dists/bullseye/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]> W: Some index files failed to download. They have been ignored, or old ones used instead.
from deb.sury.org.
oerdnj
commented on June 30, 2024
You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.
from deb.sury.org.
sandsjh
commented on June 30, 2024
You need to download the package manually and install it by hand if you hadn’t managed to update the repository in time.
I have done so and got the following error. Even though rebooting is rarely required in Debian, I have done so and tried again.
`
root@azure:~/sh# wget https://packages.sury.org/debsuryorg-archive-keyring.deb
--2024-02-29 17:56:31-- https://packages.sury.org/debsuryorg-archive-keyring.deb
Resolving packages.sury.org (packages.sury.org)... 212.102.40.114
Connecting to packages.sury.org (packages.sury.org)|212.102.40.114|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4416 (4.3K) [application/octet-stream]
Saving to: ‘debsuryorg-archive-keyring.deb
debsuryorg-archive-keyring.deb 100%[=======================================================================================================================================>] 4.31K --.-KB/s in 0s
2024-02-29 17:56:32 (88.9 MB/s) - ‘debsuryorg-archive-keyring.deb’ saved [4416/4416]
root@azure:~/sh# dpkg -i debsuryorg-archive-keyring.deb
`
`
root@azure:~/sh# apt update
Hit:1 http://download.zerotier.com/debian/bullseye bullseye InRelease
Hit:2 http://debian-archive.trafficmanager.net/debian bullseye InRelease
Hit:3 http://debian-archive.trafficmanager.net/debian-security bullseye-security InRelease
Hit:4 http://debian-archive.trafficmanager.net/debian bullseye-updates InRelease
Hit:5 http://debian-archive.trafficmanager.net/debian bullseye-backports InRelease
Get:6 https://packages.sury.org/apache2 bullseye InRelease [7479 B]
Get:7 https://packages.sury.org/php bullseye InRelease [7551 B]
Ign:8 https://download.webmin.com/download/newkey/repository stable InRelease
Hit:9 https://download.webmin.com/download/newkey/repository stable Release
Get:11 https://pkgs.tailscale.com/stable/debian bullseye InRelease
Get:12 https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian bullseye InRelease [4634 B]
Err:6 https://packages.sury.org/apache2 bullseye InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key [email protected]
Hit:13 https://nginx.org/packages/mainline/debian bullseye InRelease
Hit:10 https://packagecloud.io/ookla/speedtest-cli/debian bullseye InRelease
Hit:15 https://apt.hestiacp.com bullseye InRelease
Reading package lists... Done
W: GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key [email protected]
E: The repository 'https://packages.sury.org/apache2 bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
`
from deb.sury.org.
Related Issues (20)
- php-ds for PHP8.3 does not load (undefined symbol: fast_add_function) HOT 4
- Upgrade php-decimal to 1.5.0 HOT 1
- Request to Upgrade Curl to >= 7.87.0 in Ubuntu 22.04 LTS due to Keep-Alive Connection Issue HOT 4
- Upgrade mongodb driver (php-mongodb) to version 1.17.2 to fix performance issue HOT 1
- PHP7.2 on Debian12: no effect on changing locales to php functions HOT 5
- PHP 5.6 compile error HOT 2
- Nginx modules need version epoch on Debian bookworm and Ubuntu downstream HOT 21
- libmemcached 1.1.4 to be packaged with critical fix HOT 2
- LUA PHP Extension HOT 3
- `php-maxminddb` not available on `arm64` platform HOT 5
- [UpdateRequest] php 8.3.3 and nginx mainline 1.25.4 HOT 2
- php-ds 1.5.0 for php8.3/arm64 is missing HOT 1
- Segmentation fault executing curl_init() with php8.3-swoole on Debian packages HOT 5
- PHP 7.4 packages on ubuntu jammy might be the issue for apache2 processes not being killed on graceful, leading to DoS HOT 2
- php8.3-imagick PHP Fatal error when trying to read a PDF file (FPM only)
- Ubuntu nginx-extras - new dependency HOT 7
- nginx-mainline jammy broken upgrade HOT 4
- packages.sury.org/*/nginx-extras_1.24.0.deb gives 404 not found HOT 1
- nginx packages "kept back", `mod-brotli` and `mod-ssl-ct` will be removed HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deb.sury.org.