Home / server / Questions / 975262
Accepted
Major Productions
Asked: 2019-07-15 17:10:22 +0800 CST

Cannot upgrade Debian Jessie to Stable because of deb.sury PHP PPA

  • 772

I'm attempting to upgrade my Linode Jessie instance to Stable by following this tutorial. I've upgraded my /etc/apt/sources.list file, and am up to the $ sudo apt update step. When I enter that command, I get the following:

Hit http://mirrors.linode.com stable InRelease
Hit http://mirrors.linode.com stable-updates InRelease                         
Ign http://nyc2.mirrors.digitalocean.com stable InRelease                      
Hit http://archive.debian.org jessie-backports InRelease                       
Ign http://nyc2.mirrors.digitalocean.com stable Release.gpg                    
Ign http://nyc2.mirrors.digitalocean.com stable Release                        
Get:1 http://security.debian.org stable/updates InRelease [39.1 kB]            
Get:2 https://packages.sury.org stable InRelease                        
Ign https://packages.sury.org stable InRelease                                 
Get:3 http://mirrors.linode.com stable/main Sources [7,827 kB]                 
W: There is no public key available for the following key IDs:                 
648ACFD622F3D138
 NO_PUBKEY DCC9EFBF77E11517
W: There is no public key available for the following key IDs:
648ACFD622F3D138
E: Release file for http://archive.debian.org/debian/dists/jessie-backports/InRelease is expired (invalid since 145d 4h 29min 16s). Updates for this repository will not be applied.

My aforementioned /etc/apt/sources.list file is:

# 

# deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official Multi-architecture amd6$

#deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official Multi-architecture amd64$

deb http://mirrors.linode.com/debian/ stable main
deb-src http://mirrors.linode.com/debian/ stable main

deb http://security.debian.org/ stable/updates main
deb-src http://security.debian.org/ stable/updates main

# jessie-updates, previously known as 'volatile'
deb http://mirrors.linode.com/debian/ stable-updates main
deb [arch=i386,ppc64el,amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/debian stable main
# deb-src [arch=i386,ppc64el,amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/debian stable main

deb-src http://mirrors.linode.com/debian/ stable-updates main

Doing some research on PPAs, I also updated my `/etc/apt/sources.list.d/php.list file to:

deb https://packages.sury.org/php/ stable main

But the error remains.

Is there a way to upgrade this PPA so it can be used with Debian Stable? Or is there some other way around this issue?

debian

3 Answers

  1. Best Answer

    You are just missing the signing keys; the packages in the new release are signed using new keys. You can get the keys from a key server and save them as new files in /etc/apt/trusted.gpg.d/:

    $ sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg --keyserver keyserver.ubuntu.com --recv 648ACFD622F3D138
gpg: keyring '/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg' created
gpg: key DC30D7C23CBBABEE: public key "Debian Archive Automatic Signing Key (10/buster) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

$ sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg --keyserver keyserver.ubuntu.com --recv DCC9EFBF77E11517
gpg: keyring '/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg' created
gpg: key DCC9EFBF77E11517: public key "Debian Stable Release Key (10/buster) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

    If the permissions of those files are something else, change them to -rw-r--r-- using:

    sudo chmod 644 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
sudo chmod 644 /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg

    The keys should now be listed in the output of apt-key list & the error with apt update be fixed.

    • 3

  2. For me, Debian 9 and installation of PHP 7.4, this works:

    $ sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

    After that, I was able to run apt update without any error.

    • 1

  3. I found that using a gpg2 keyring would not work due to debootstrap using gpgv under the hood, which uses a gpg1 database version. I recreated by gpg database like so from the debian archive keyring server, note that gpg is gpg 1.x.x not gpg 2.x.x or newer at time of writing:

    wget https://ftp-master.debian.org/keys/release-10.asc -qO- | gpg --import --no-default-keyring --keyring ./debian-release-10.gpg
debootstrap --keyring=./debian-release-10.gpg buster /srv/buster

    If deboostrap were updated to use gpg --verify instead of gpgv, I would imagine gpg2 could be used as a drop-in replacement - But I cannot be certain.

    • 0