Sytko's picture

When executing a command

apt-get update 

error

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743
W: Failed to fetch https://packages.sury.org/php/dists/stretch/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B188E2B695BD4743
W: Some index files failed to download. They have been ignored, or old ones used instead.

How to fix ?

 

 

Forum: 
Jeremy Davis's picture

Looking at the Nextcloud app build code, the alternate PHP apt repo shouldn't be configured by default?! So I'm not really clear where this error is coming from. Or did you add the sury.org repo yourself?

Bottom line, the error is almost certainly occurring because the public signing key for the sury.org repo has been rotated. So you will need to do one of 2 things:

1. Disable the sury.org repo for now.

The best way to do that will depend on how it's set up. Either rename the file (if it's defined in file of it's own, which is likely if it was supplied by turnkey) so it has an alternate/additional file-extension (I usually append "disabled", e.g. rename "some-repo.list" to "some-repo.list.disabled". Otherwise you can just comment out the line in the particular sources.list file that includes it (i.e. put a "#" at the start of the line).

if you have no idea, then you can find the file that it's in like this:

grep -r packages.sury.org /etc/apt

2. Update the GPG key which it's signed with (so you can install from it).

Again, how to do that will depend on how it's set up. If you have no idea about that (which I'm guessing is the case) then please post back with the output of the above grep command and I'll guide you in the right direction.

Horst-Kevin's picture

Sury PHP repo is enabled by default in the Turnkey Nextcloud appliance.

I answer to this old post because it is still valid for newer versions (and I just encountered ist with Turnkey 16.0 an Nextcloud 20.0.8.

First do

cd /etc/apt/sources.list.d

then do 

ls -al

in order to check whether you have a file php.list (shipped by default with Turnkey Nextcloud appliance).

If so, do

nano php.list

to determine whether the line contains a string like 

[signed-by=/usr/share/keyrings/php-sury.org.gpg]

Press STRG + X to exit nano.

If so (the string is there and coming to get us) and you want to keep the shipped way of "how things get done", just do

wget -O /usr/share/keyrings/php-sury.org.gpg https://packages.sury.org/php/apt.gpg

and you're done (please check the path in the command matches the path in the string above) and

apt-get update

is working again like a charm.

If you have a less customized more standard setup or want it to be,

erase

[signed-by=/usr/share/keyrings/php-sury.org.gpg]

from the string from above (not necessary if you don't have it)

and just do either

apt-key adv --keyserver keys.gnupg.net --recv-keys B188E2B695BD4743

but replace B188E2B695BD4743 with the string given in your initial error message

or do

wget -O - https://packages.sury.org/php/apt.gpg | apt-key add -

which are basically two ways to do the same.

Hope this helps you folks!

Jeremy Davis's picture

You are absolutely correct. Good work and thanks for sharing.

However, I can't help myself. Let me share a couple of tips...

You can use grep to check for both the existence of sury.org in the sources.lists and whether or not it's locked to the specific key file, using grep. I.e.:

grep -r sury.org /etc/apt/sources.list*

Grep searches for strings within files. In this case, it will search recursively (the '-r' switch) for the string 'sury.org' (enclose in quotes if it contains spaces) in all files that match the glob: '/etc/apt/sources.list*'. The asterisk ('*') expands to match any 0 or more characters, so will match '/etc/apt/sources.list' (if it exists and) all the files in '/etc/apt/sources.list.d/'. It will return all matches in the form "<filename:> <line_that_matches>". E.g. you might get something like this (where the sources list file is "/etc/apt/sources.list.d/php.list" & the key file is "/etc/apt/sources.list.d/php.list"):

/etc/apt/sources.list.d/php.list:deb [signed-by=/usr/share/keyrings/php-sury.org.gpg] https://packages.sury.org/php/ buster main

Also, out of interest, even if the repo is locked to the specific key (i.e. you have the 'signed-by' bit as per above) you can still use 'apt-key' to update the key. You just need to specify the keyfile (via '--keyring' switch):

wget -O - https://packages.suphp-sury.org.gpgry.org/php/apt.gpg | apt-key --keyring /usr/share/keyrings/php-sury.org.gpg add -

FWIW it's generally preferable to use 'apt-key' like that. Sometimes keys can be in the text aka ASCII aka armoured format, rather than the binary GPG format (as the sury.org key is). Trying to use armoured keys with apt will fail. FYI armoured keys often have an '.asc' file extension, although sometimes '.txt' (or perhaps even something else). The apt-key command will copy a GPG key file straight in; or convert an armoured key file on the fly.

Jeremy Davis's picture

Could you please post the full error message and a few notes on what you did to get to where you are. Thanks.

Add new comment