A few days ago, the signing key deb.sury.org expired, and I can’t find a way to update to the latest key. I’ve tried the script (https://packages.sury.org/php/README.txt) on deb.sury.org, but it keeps downloading the old key. Is there something else I need to do?
Cheers!
Use this:
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sury-keyring.gpg >/dev/null
But you should check that /etc/apt/sources.list.d/php.list is using the right path to the key /usr/share/keyrings/sury-keyring.gpg
/etc/apt/sources.list.d/php.list:
deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/` bookworm main`
I’m guessing that’s not right.
That’s just a name. Or you use this command and then replace the name in php.list
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sury-keyring.gpg >/dev/null
Or you use this command so don’t need to change the name in php.list:
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/debsuryorg-archive-keyring.gpg >/dev/null
Thanks for your help so far. It’s still not working.
I have tried both methods and sudo apt update features this:
Err:8 https://packages.sury.org/php/` bookworm InRelease
418 I’m a teapot [IP: 199.232.115.52 443]
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:2 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]
Hit:7 https://packages.sury.org/apache2 bookworm InRelease
Hit:3 Index of /debian bookworm InRelease
Err:8 https://packages.sury.org/php/` bookworm InRelease
418 I’m a teapot [IP: 199.232.115.52 443]
Hit:4 Index of /debian bookworm-updates InRelease
Hit:5 Index of /debian bookworm-backports InRelease
Hit:6 https://deb.debian.org/debian-security bookworm-security InRelease
Err:7 https://packages.sury.org/apache2 bookworm InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key [email protected]
Hit:9 https://apt.hestiacp.com bookworm InRelease
Hit:10 Index of /packages/mainline/debian/ bookworm InRelease
Reading package lists… Done
E: Failed to fetch https://packages.sury.org/php/`/dists/bookworm/InRelease 418 I’m a teapot [IP: 199.232.115.52 443]
E: The repository ‘https://packages.sury.org/php/` bookworm InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bookworm InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key [email protected]
You must also change the apache.list file and there is a typo in the repo.
Show me the output of these commands:
cat -A /etc/apt/sources.list.d/php.list
cat -A /etc/apt/sources.list.d/apache2.list
deb [signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/` bookworm main`/usr/share/keyrings/sury-keyring.gpg$
deb [arch=amd64 signed-by=/usr/share/keyrings/apache2-keyring.gpg] Index of /apache2/ bookworm main$
Next time, paste the output, select the text and Ctrl+E or click on icon </>
To fix it:
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/apache2/ bookworm main' > /etc/apt/sources.list.d/apache2.list
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ bookworm main' > /etc/apt/sources.list.d/php.list
apt update
Tried both as written and using sudo and….:
-bash: /etc/apt/sources.list.d/apache2.list: Permission denied
-bash: /etc/apt/sources.list.d/php.list: Permission denied
This is fun 
Before executing the commands login as root.
sudo -i
Or use these commands:
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/apache2/ bookworm main' | sudo tee /etc/apt/sources.list.d/apache2.list >/dev/null
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/sury-keyring.gpg] https://packages.sury.org/php/ bookworm main' | sudo tee /etc/apt/sources.list.d/php.list >/dev/null
sudo apt update
Facing the same issue, and tried fixing, but it gives the expired signature error even after that:
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: ``https://packages.sury.org/apache2`` bookworm InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 ``DEB.SURY.ORG`` Automatic Signing Key <[email protected]>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: ``https://packages.sury.org/php`` bookworm InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 ``DEB.SURY.ORG`` Automatic Signing Key <[email protected]>
W: Failed to fetch ``https://packages.sury.org/apache2/dists/bookworm/InRelease`` The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 ``DEB.SURY.ORG`` Automatic Signing Key <[email protected]>
W: Failed to fetch ``https://packages.sury.org/php/dists/bookworm/InRelease`` The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 ``DEB.SURY.ORG`` Automatic Signing Key <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.
But dd you dowload the new key?
curl -s https://packages.sury.org/php/apt.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/sury-keyring.gpg >/dev/null
Thank you very much. That worked for me.
Seems I had not. Guess, I just did not realize it. May bad on that.
Thanks guys, @sahsanu ‘s curl command and echo commands solve it, big kudos !!! 
uh, I have a couple of OTHER concerns about this resolution.
ChatGPT tells me that I’m mixing my ‘bullseye’ and ‘bookwork’ and that I need to fix THAT also
I CAN share the chatgpt conversation.. I’d just rather DM in, I don’t see anything dangerous.
But the bigger structural issue is this:
Your base OS repos are Debian 12 / bookworm
Several third-party repos are still pinned to bullseye:
PostgreSQL
Sury nginx-mainline
Sury php
MariaDB 10.6
HestiaCP
nginx.org mainline
That is a mixed-release setup. Sometimes people do this intentionally and get away with it for a while, but it is the sort of thing that later breeds weird dependency goblins at 2:13am. HestiaCP supports Debian 11 and 12, so a Debian 12 host should not need to be half-bullseye forever.
Yes, you must fix it. Edit the source files and replace bullseye with bookworm.
Maybe Chatgpt meant Sury Apache2?
yeah, I’m not ON apache lol.
I totally replaced all those.
In sources.list I had bookworm
In sources.list.d all of those still said bullseye
So I replaced them, almost everything was fine.
I had to fix the /sources.list.d for mariadb.list, chatgpt told me what to use.
Option 2
MariaDB’s modern repo uses 10.11 for Debian 12.
Your repo line should look like:
deb [signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian bookworm main
So you would replace the 10.6 repo.
Looks like it rebooted just fine, and everything is working again.
NOW I just gotta hope I stop getting out-of-memory on my mariadb with increasing frequency.
I should have looked at this a week ago at least.
Yeah, rebooted. everything works. THANKS you guys. I love hestiacp.