[SOLVED] PHP apt key expired error

bamyasi · 18 March 2021 20:37

Hi,

For several days now I keep receiving the following error when running apt-get update command:

Hit:8 https://packages.sury.org/php stretch InRelease
Err:8 https://packages.sury.org/php stretch InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

I’ve attempted to update the key by running the following command but it does not help. For some reason, updated key is always reported as expired with its expiration date listed as being one day in the past. Looks really weird, has my system been hacked?

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

–2021-03-18 16:36:32-- https://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)… 172.67.182.150, 104.21.18.148, 2606:4700:3037::6815:1294, …
Connecting to packages.sury.org (packages.sury.org)|172.67.182.150|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1769 (1.7K) [application/octet-stream]
Saving to: ‘/etc/apt/trusted.gpg.d/php.gpg’

/etc/apt/trusted.gpg.d/php.gpg 100%[==========================================================>] 1.73K --.-KB/s in 0s

2021-03-18 16:36:32 (3.78 MB/s) - ‘/etc/apt/trusted.gpg.d/php.gpg’ saved [1769/1769]

apt-key list | grep -A 1 expired
Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

–
pub rsa4096 2016-02-21 [SC] [expired: 2020-12-06]
F8E3 3472 5692 2A8A E767 605B 7808 CE96 D38B 9201
uid [ expired] Jean-Francois Dockes <jf@dockes.org>

–
Bamyasi

Joulinar · 18 March 2021 20:49

Hi,

looks like you have a 3rd party repository attached. And there the key got invalid. basically you would need to update the key. I guess it would need to be updated. Following the readme at sury.org https://packages.sury.org/php/README.txt you can do following

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

bamyasi · 18 March 2021 21:08

Hi Joulinar,

I have run the suggested script but this did not help either:

apt-get update

Ign:1 http://ftp.debian.org/debian stretch InRelease
Hit:2 http://ftp.debian.org/debian stretch-updates InRelease
Hit:3 http://ftp.debian.org/debian stretch-backports InRelease
Hit:4 http://ftp.debian.org/debian stretch Release
Hit:5 https://dtcooper.github.io/raspotify raspotify InRelease
Hit:6 https://downloads.plex.tv/repo/deb public InRelease
Hit:7 https://packages.sury.org/php stretch InRelease
Get:8 https://deb.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Err:7 https://packages.sury.org/php stretch InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Get:10 https://deb.debian.org/debian-security stretch/updates/main armhf Packages [639 kB]
Fetched 692 kB in 5s (130 kB/s)
Reading package lists… Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.

Joulinar · 18 March 2021 21:15

try to remove the key file before

rm /etc/apt/trusted.gpg.d/php.gpg
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
apt update

bamyasi · 18 March 2021 21:22

Tried downloading GPG key several times already, it does not help. Same error persists and the key is always listed as expired yesterday:

apt-key list | grep -A 1 expired

Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

bamyasi · 18 March 2021 21:24

However, the error messages formatting has changed slightly for some reason, no idea if this matters:

apt-get update

Ign:1 http://ftp.debian.org/debian stretch InRelease
Hit:2 http://ftp.debian.org/debian stretch-updates InRelease
Hit:3 http://ftp.debian.org/debian stretch-backports InRelease
Hit:4 http://ftp.debian.org/debian stretch Release
Hit:5 https://downloads.plex.tv/repo/deb public InRelease
Hit:6 https://dtcooper.github.io/raspotify raspotify InRelease
Hit:7 https://deb.debian.org/debian-security stretch/updates InRelease
Get:8 https://packages.sury.org/php stretch InRelease [6,824 B]
Ign:8 https://packages.sury.org/php stretch InRelease
Get:10 https://packages.sury.org/php stretch/main armhf Packages [317 kB]
Fetched 323 kB in 7s (42.1 kB/s)
Reading package lists… Done
W: GPG error: https://packages.sury.org/php stretch InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: The repository ‘https://packages.sury.org/php stretch InRelease’ is not signed.
N: Data from such a repository can’t be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Joulinar · 18 March 2021 21:47

looks like you still use the old key. For me the key is valid. I did a test installation on Stretch and simply added the key

/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expires: 2024-02-16]

bamyasi · 18 March 2021 22:15

Yep, looks like I have both current and expired keys. But how I remove expired one? In Ubuntu this is done by keyring manipulation but Debian does not use keyring manager for GPG keys? Where to look for the offending key?

apt-key list | grep -A 1 expires

<…>
pub rsa3072 2019-03-18 [SC] [expires: 2024-02-16]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ unknown] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

apt-key list | grep -A 1 expired

Warning: apt-key output should not be parsed (stdout is not a terminal)
pub rsa3072 2019-03-18 [SC] [expired: 2021-03-17]
1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743
uid [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

Joulinar · 18 March 2021 22:25

can you try

rm /etc/apt/trusted.gpg.d/php.gpg
apt-key del 95BD4743
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
apt-key list

if that is showing the new key only

apt update

bamyasi · 18 March 2021 22:43

Joulinar,

Figured it out myself by trial and error already but thanks anyway Apt update on my system now works again!

I should say the lack of documentation for such a critical area was shocking to me. Debian apt-key manpage is super concise and pretty much useless, Debian SecureApt Wiki is outdated and also useless from an apt user point of view (mostly talks about setting up your own secure repository). GPG documentation is non-existent. Yes, there are some third-party GPG user guides available on the net but they are mostly outdated and rather short (only cover trivial cases). No surprise Debian repositories are get hacked on a regular basis.

MichaIng · 26 March 2021 22:20

For reference: https://github.com/MichaIng/DietPi/issues/4219
On next DietPi update, the expired key will be updated automatically via pre-patches, when still present:

G_EXEC apt-key del '95BD4743'
G_EXEC curl -sSfL 'https://packages.sury.org/php/apt.gpg' -o /etc/apt/trusted.gpg.d/dietpi-php.gpg