GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures were invalid

[rfay]

TL;DR

As of 16 Feb 2024 the (upstream) old deb.sury.org key is expiring. This key is used for installing PHP packages in the ddev-webserver Docker image. Its expiration may cause failures of apt update or apt install/webimage_extra_packages (with PHP packages).

• DDEV v1.22.7 doesn't have this problem, so upgrade to solve any problems you have with PHP packages during ddev start
• In DDEV v1.22.6 (if you don't want to upgrade) docker pull ddev/ddev-webserver:v1.22.6 to get an upgraded version with the new package key.

Is your feature request related to a problem?

• Apt key for Debian Package is expiring on 16.02.2024 oerdnj/deb.sury.org#2074

The key for the deb.sury.org repo expires on 16 Feb 2024. This is unfortunate. It has now been refreshed with a 2026 expiration date, but people with DDEV v1.22.6 and before may have failures on Feb 16 when the key expires and their ddev start tries to do an apt-get update and outputs some warning information. webimage_extra_packages with a PHP extension won't be able to work correctly.

Describe your solution

I think we can figure out how to push a new version of ddev/ddev-webserver:v1.22.6 which solves this problem. Normally we don't replace existing images because it causes unexplained behavior differences.

This can be done two different ways:

1. Rebuild ddev-php-base and then also rebuild ddev-webserver:v1.22.6. This will give the new key. It has side-effects, some good, some unexpected. One is that all packages will be updated to current, including php*-xdebug, fixing Using Xdebug can result in 503 (ddev logs shows SEGV) in v1.22.6. #5633 - which could be good, but involves some behavior change.
2. Just rebuild ddev-webserver:v1.22.6 (still based on the original ddev-php-base) but add a layer that updates the deb.sury.org key. This is the least intrusive approach, but still may update a package or two.

@stasadev leans toward the first option because we fix the xdebug problem, #5633

I believe people will still have to do a docker pull ddev/ddev-webserver:v1.22.6 in order to solve the problem when the key expires. I'm not sure how to test this.

I imagine we should deploy a warning to ddev/remote-config to tell people about this.

Describe alternatives

No response

Additional context

No response

[rfay]

Oh, good news, perhaps we don't have to worry about v1.22.6 users. We have gradually made the apt update more resilient, so I see

• ddev/pkg/ddevapp/config.go

  Line 987 in 64e9958

  RUN apt-get update || true

• ddev/pkg/ddevapp/config.go

  Line 999 in 64e9958

  RUN (apt-get update || true) && DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confold" --no-install-recommends --no-install-suggests bzip2 less procps pv vim

So those should work out OK. The problem will be people who have Dockerfiles that do apt update without the || true, or who actually need to add something from deb.sury.org.

[rfay]

I tested with a changing image (same label), and the image was not automatically updated.

This behavior is controlled by pull-policy and build in docker-compose.

In our situation, where we have a build stage and no pull-policy specified, the behavior I think is specified by https://docs.docker.com/compose/compose-file/build/#using-build-and-image:

When Compose is confronted with both a build subsection for a service and an image attribute, it follows the rules defined by the pull_policy attribute.

If pull_policy is missing from the service definition, Compose attempts to pull the image first and then builds from source if the image isn't found in the registry or platform cache.

However, that does not seem to be the behavior we are seeing. I don't mind the behavior we have, because it's tuned to allow offline work with DDEV.

[rfay]

I suspect this will directly affect only a few people, and all of them can solve it by upgrading to v1.22.7, which may be just as easy as docker pull ddev/ddev-webserver:v1.22.6

[rfay]

• This is all fixed in DDEV v1.22.7
• I did go ahead and push a new ddev/ddev-webserver:v1.22.6 for folks that want to continue using v1.22.6 but need this fix. They have to manually docker pull ddev/ddev-webserver:v1.22.6 but then will have the new key, php 8.3.2 AND xdebug 3.3.1, fixing Using Xdebug can result in 503 (ddev logs shows SEGV) in v1.22.6. #5633 for them

[penyaskito]

For findability: You might see

GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures were invalid EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>

The repository 'https://packages.sury.org/php bullseye InRelease' is not signed.

[rfay]

People may still run across this, as many versions of DDEV are out there. All the info is here though, so closing.