Error upgrading from 5.11 to 5.12

Installation Issues
1

Hi guys, i recently tried to upgrade my passsbolt CE from 5.11 (running stable) to 5.12 followed the commands as usual https://www.passbolt.com/changelog/api-bext/natural-blues-browser-extension-api

My server: Server information:

  • Debian GNU/Linux 11 (bullseye)

  • PHP 8.2.29

  • Passbolt CE 5.11 before upgrade

however this time it did not complete and go som errors as shown below ,

sudo apt --only-upgrade install passbolt-ce-server
sudo apt upgrade
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [27.2 kB]
Hit:2 http://deb.debian.org/debian bullseye InRelease                         
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease                 
Get:4 http://security.debian.org/debian-security bullseye-security/main Sources [288 kB]
Get:5 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [454 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main Translation-en [304 kB]
Get:7 https://packages.sury.org/php bullseye InRelease [6,136 B]               
Err:7 https://packages.sury.org/php bullseye InRelease                         
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Get:8 https://download.passbolt.com/ce/debian buster InRelease [35.8 kB]
Get:9 https://download.passbolt.com/ce/debian buster/stable amd64 Packages [14.1 kB]
Fetched 1,130 kB in 1s (791 kB/s)  
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
5 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libgraphite2-3 libharfbuzz0b libraqm0 linux-image-5.10.0-13-amd64
  linux-image-5.10.0-23-amd64 linux-image-5.10.0-25-amd64
  linux-image-5.10.0-26-amd64 linux-image-5.10.0-27-amd64
  linux-image-5.10.0-28-amd64 linux-image-5.10.0-29-amd64
  linux-image-5.10.0-30-amd64 linux-image-5.10.0-31-amd64
  linux-image-5.10.0-33-amd64 linux-image-5.10.0-34-amd64
  linux-image-5.10.0-36-amd64 php7.4-cli php7.4-curl php7.4-fpm php7.4-gd
  php7.4-intl php7.4-json php7.4-mbstring php7.4-mysql php7.4-opcache
  php7.4-xml
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  php-ldap php8.4-ldap
Suggested packages:
  python-certbot-nginx | python-certbot-apache
The following NEW packages will be installed:
  php-ldap php8.4-ldap
The following packages will be upgraded:
  passbolt-ce-server
1 upgraded, 2 newly installed, 0 to remove and 4 not upgraded.
Need to get 14.3 MB of archives.
After this operation, 12.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Err:1 https://packages.sury.org/php bullseye/main amd64 php8.4-ldap amd64 8.4.14-1+0~20251108.36+debian11~1.gbpca7cb9
  404  Not Found [IP: 151.101.3.52 443]
Err:2 https://packages.sury.org/php bullseye/main amd64 php-ldap all 2:8.4+97+0~20251117.58+debian11~1.gbp8726a7
  404  Not Found [IP: 151.101.3.52 443]
Get:3 https://download.passbolt.com/ce/debian buster/stable amd64 passbolt-ce-server all 5.12.0-1 [14.2 MB]
Fetched 14.2 MB in 4s (3,921 kB/s)             
E: Failed to fetch https://packages.sury.org/php/pool/main/p/php8.4/php8.4-ldap_8.4.14-1%2b0%7e20251108.36%2bdebian11%7e1.gbpca7cb9_amd64.deb  404  Not Found [IP: 151.101.3.52 443]
E: Failed to fetch https://packages.sury.org/php/pool/main/p/php-defaults/php-ldap_8.4%2b97%2b0%7e20251117.58%2bdebian11%7e1.gbp8726a7_all.deb  404  Not Found [IP: 151.101.3.52 443]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libgraphite2-3 libharfbuzz0b libraqm0 linux-image-5.10.0-13-amd64
  linux-image-5.10.0-23-amd64 linux-image-5.10.0-25-amd64
  linux-image-5.10.0-26-amd64 linux-image-5.10.0-27-amd64
  linux-image-5.10.0-28-amd64 linux-image-5.10.0-29-amd64
  linux-image-5.10.0-30-amd64 linux-image-5.10.0-31-amd64
  linux-image-5.10.0-33-amd64 linux-image-5.10.0-34-amd64
  linux-image-5.10.0-36-amd64 php7.4-cli php7.4-curl php7.4-fpm php7.4-gd
  php7.4-intl php7.4-json php7.4-mbstring php7.4-mysql php7.4-opcache
  php7.4-xml
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  linux-image-5.10.0-42-amd64 php-ldap php8.4-ldap
The following packages will be upgraded:
  libnghttp2-14 libpng16-16 linux-image-amd64 passbolt-ce-server tzdata
5 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 57.6 MB/71.9 MB of archives.
After this operation, 332 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://security.debian.org/debian-security bullseye-security/main amd64 tzdata all 2026b-0+deb11u1 [311 kB]
Get:2 http://security.debian.org/debian-security bullseye-security/main amd64 libnghttp2-14 amd64 1.43.0-1+deb11u3 [77.6 kB]
Get:3 http://security.debian.org/debian-security bullseye-security/main amd64 libpng16-16 amd64 1.6.37-3+deb11u4 [295 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 linux-image-5.10.0-42-amd64 amd64 5.10.251-4 [56.9 MB]
Err:5 https://packages.sury.org/php bullseye/main amd64 php8.4-ldap amd64 8.4.14-1+0~20251108.36+debian11~1.gbpca7cb9
  404  Not Found [IP: 151.101.3.52 443]
Get:6 http://security.debian.org/debian-security bullseye-security/main amd64 linux-image-amd64 amd64 5.10.251-4 [1,484 B]
Err:7 https://packages.sury.org/php bullseye/main amd64 php-ldap all 2:8.4+97+0~20251117.58+debian11~1.gbp8726a7
  404  Not Found [IP: 151.101.3.52 443]
Fetched 57.6 MB in 1s (51.6 MB/s)
E: Failed to fetch https://packages.sury.org/php/pool/main/p/php8.4/php8.4-ldap_8.4.14-1%2b0%7e20251108.36%2bdebian11%7e1.gbpca7cb9_amd64.deb  404  Not Found [IP: 151.101.3.52 443]
E: Failed to fetch https://packages.sury.org/php/pool/main/p/php-defaults/php-ldap_8.4%2b97%2b0%7e20251117.58%2bdebian11%7e1.gbp8726a7_all.deb  404  Not Found [IP: 151.101.3.52 443]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

Can you please help.

thanks

2

G’day Mike

There are two things in play here.

The sury.org signing key has expired on your server

You have the sury PHP repo configured so you can run PHP 8.2 on Debian 11 (bullseye only ships PHP 7.4 by default). That repo’s GPG signing key has expired, so apt update can’t verify the current package list and falls back to a stale cached index. That cached index references .deb filenames sury has since replaced, which is what’s causing the 404s. The sury keyring and the 404s are the same problem.

Refresh the key following the instructions in the sury README at https://packages.sury.org/php/README.txt. The shape of the fix is:

curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
sudo dpkg -i /tmp/debsuryorg-archive-keyring.deb
sudo apt update

Once apt update completes cleanly with no EXPKEYSIG warning, retry the upgrade:

sudo apt --only-upgrade install passbolt-ce-server

Then run a healthcheck to confirm everything is in order:

sudo -H -u www-data /usr/share/php/passbolt/bin/cake passbolt healthcheck

Why is php-ldap being installed?

The 5.12 server package declares php-ldap as a dependency where 5.11 didn’t, which is why apt is asking to install a new package during this upgrade. Nothing for you to do about it, the install will go through fine once the sury key is refreshed.

My recommendation: move to Debian 13 trixie

The reason you need sury at all is that Debian 11 doesn’t ship a modern PHP. Debian 13 trixie includes PHP 8.4 in the default archive, so after a migration to trixie you can drop the sury repo entirely and this kind of problem doesn’t come up again.

There’s a CE server migration walkthrough for Debian 13 in the docs: https://www.passbolt.com/docs/hosting/migrate/server/ce/debian/

Cheers
Gareth

3

thanks,

will try it.

4

looks like key is invalid expired?

curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb
sudo dpkg -i /tmp/debsuryorg-archive-keyring.deb
sudo apt update
Selecting previously unselected package debsuryorg-archive-keyring.
(Reading database ... 106439 files and directories currently installed.)
Preparing to unpack .../debsuryorg-archive-keyring.deb ...
Unpacking debsuryorg-archive-keyring (2025.11.18) ...
Setting up debsuryorg-archive-keyring (2025.11.18) ...
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [27.2 kB]
Hit:2 http://deb.debian.org/debian bullseye InRelease     
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 https://packages.sury.org/php bullseye InRelease [6,136 B]
Get:5 http://security.debian.org/debian-security bullseye-security/main Sources [290 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [454 kB]
Get:7 http://security.debian.org/debian-security bullseye-security/main Translation-en [305 kB]
Err:4 https://packages.sury.org/php bullseye InRelease               
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
Get:8 https://download.passbolt.com/ce/debian buster InRelease [35.8 kB]
Get:9 https://download.passbolt.com/ce/debian buster/stable amd64 Packages [14.1 kB]
Fetched 1,132 kB in 1s (1,032 kB/s) 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/bullseye/InRelease  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead.