DEB.SURY.ORG Automatic Signing Key Invalid

N

NoRemorse

Member
May 10, 2019
3
0
21
54
Recently I've noticed an issue on the email report when Proxmox checks for updates, specifically:

The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> Reading package lists... Done W: GPG error: https://packages.sury.org/php buster InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org> E: The repository 'https://packages.sury.org/php buster InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

/etc/apt/sources.list.d/php.list is the culprit:

deb [signed-by=/usr/share/keyrings/php-sury.org.gpg] https://packages.sury.org/php/ buster main


Note, I have a Proxmox subscription.

Is this something I'm going to need to fix myself? I am confused if that's the case, however I can certainly look into it. I'm also curious why no one else seems to have posted about the error, and wonder if this is something more alarming on my end rather than a general issue with the signing key.

Thanks for any input.
 
:rolleyes:
:rolleyes:
wget https://packages.sury.org/php/apt.gpg -O /etc/apt/trusted.gpg.d/php-sury.gpg
 
the question is why you even have that repository configured? Oo
 
That's an excellent question, and yes I know I can wget the gpg key, my question was how that became an issue, if it was something delivered with the platform, or if something else is going on I need to track down. So to answer the question - it appears to be something not part of the Proxmox 6 distribution and that I need to figure out what exactly happened.

Thanks for the help.
 
definitely not part of a stock PVE install. it's a repo by one of the Debian PHP maintainers that provides more recent PHP versions.. (PVE itself does not use any PHP code)
 
  • Like
Reactions: NoRemorse
@fabian
I have that repo either. And i keep my proxmox host clean (except for kernel 5.11)

Dunno how sury made it into apt sources, need to check which packages comes from that repo.
 
Found the answer. It appears another admin was remotely working on a container over the weekend (from ssh-ing into the hypervisor), but failed to
Code: 
pct enter
into the container before adding the repository. The admin was pulled away for an extended period of time and was logged out. They did it correctly the second time, but never realized what happened to the "missing" repo they had thought they originally added to the container.

This is interesting though - makes me think I should regularly review the list of repos and not just log files; If someone did compromise the system, a simple added repo could be a dangerous thing. I suppose log files would turn up added or changed items, but then again it would likely all look just fine to automated solutions.

Thanks again for the input!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom