Missing signed-by= in one or more APT sources list

T4B · March 12, 2025, 1:24am

hey anyone know how to fix this ? i got the error when i run package updates

Missing signed-by= in one or more APT sources list
Keys stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg) have been deprecated, see the DEPRECATION section in apt-key(8) for details.
The /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg file will be removed in the next update of the package and you MUST update your APT sources to include
[signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] directive. See the Debian Wiki for more information: https://wiki.debian.org/DebianRepository/UseThirdParty#Sources.list_entry

T4B · March 12, 2025, 1:37am

grep -rE '^deb ’ /etc/apt/sources.list /etc/apt/sources.list.d/:

/etc/apt/sources.list.d/docker.list:deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian       bookworm stable
/etc/apt/sources.list.d/php.list:deb https://packages.sury.org/php/ bookworm main

linkp · March 12, 2025, 4:04am

That’s a warning not an error, and the best thing you can do is to heed its advice and update your php.list file as instructed.

You may want to make sure that the keyring file is in place at /usr/share/keyrings/debsuryorg-archive-keyring.gpg first.

T4B · March 12, 2025, 6:52am

hey thank you for the reply, is this the correct way to do it ?

Edit the php.list file
sudo nano /etc/apt/sources.list.d/php.list

Change:
deb https://packages.sury.org/php/ bookworm main to deb [arch=amd64 signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ bookworm main

key file download:
sudo wget -O /usr/share/keyrings/debsuryorg-archive-keyring.gpg https://packages.sury.org/php/apt.gpg

After saving the file, run:
sudo apt update

themew · March 12, 2025, 3:35pm

The info came over apticron yesterday on this issue with Debian and php:

--- News for debsuryorg-archive-keyring ---
debsuryorg-archive-keyring (2025.03.11) unstable; urgency=medium

  * The /etc/apt/trusted.gpg.d/debsuryorg-archive.gpg global APT key will
    been removed in the next update of the package.

    The script will try to autodetect whether any APT repository is not
    configured with signed-by= directive and will print warning about the
    installation of this package.

    You need to manually add:

    [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg]

    to your APT sources lists.  See the Debian Wiki for more information:

    https://wiki.debian.org/DebianRepository/UseThirdParty#Sources.list_entry

 -- Ondřej Surý <[email protected]>  Tue, 11 Mar 2025 14:08:14 +0100

arktex54 · March 12, 2025, 5:08pm

I get errors when using the following
deb [arch=amd64 signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] bookworm main
[signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg]

sahsanu · March 12, 2025, 5:22pm

You forgot to add the url to the repo in the first line and you should not add the second line. Also, double check that the gpg key /usr/share/keyrings/debsuryorg-archive-keyring.gpg exists.

arktex54 · March 12, 2025, 5:32pm

They were separate tries.

I found the package URL and this works for me. Debian Bookworm.

deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ bookworm main

elmo · March 12, 2025, 6:05pm

@T4B What was the fix you applied?

This is in my php.list

deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ bullseye main

this is now in my php.list

deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ bullseye main

however i still get the warning.

sahsanu · March 12, 2025, 6:27pm

If you already had that line in your original php.list, then, there is no need to modify it.

elmo · March 12, 2025, 6:29pm

I modified it because i got the warning, but i still get the warning. Can you clarify if i should revert back to my original which is deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ bullseye main

sahsanu · March 12, 2025, 6:31pm

Yes, revert to the original and forgot the warning (if the warning is only related to php.list repo)

elmo · March 12, 2025, 6:32pm

Alright thanks for clarifying. Much appreciated. Upgrading all my servers currently

sahsanu · March 12, 2025, 6:34pm

You’re welcome.

Just to avoid misunderstandings, your php.list file must contain this line:

deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ bullseye main

elmo · March 12, 2025, 6:36pm

Yes that was my original, after i saw the warning i unfortunately stopped the update and edited the php.list and then run apt again. Will there be any damage from this? I have now replaced the php.list with my original backup copy.

sahsanu · March 12, 2025, 6:36pm

No, no problem at all using the original one created by Hestia.

linkp · March 12, 2025, 7:45pm

The main takeaway here is that you need the Sury apt key on your filesystem and you need to reference it in both your PHP and your Apache apt sources list files so that the repository signature can be validated by apt. Mine is currently located at /usr/share/keyrings/debsuryorg-archive-keyring.gpg and that is the file referenced in my apt sources list files.

The correct apt keyring file to download is the one the @T4B referenced: https://packages.sury.org/php/apt.gpg. The same file is also located at https://packages.sury.org/apache2/apt.gpg