distributions icon indicating copy to clipboard operation
distributions copied to clipboard
verified publisher icon nodesource

Debian 13 repo issue

Open wooque opened this issue 10 months ago • 46 comments

Describe your bug In the upcoming Debian 13, running apt update will show warning about nodesource repo:

Warning: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details

Running apt update --audit with more details:

Audit: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 6F71F525282841EEDAF851B42F59B5F99B1BE0B4 is not bound:
              No binding signature at time 2025-05-21T16:29:47Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Distribution Information:

  • OS: Debian
  • Version 13
  • Other info if applicable [e.g. Docker image XXX, AWS AMI ID]

Node Version:

  • Node: 22

To Reproduce Steps to reproduce the behavior: Dockerfile:

FROM debian:trixie-slim

RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh
RUN bash nodesource_setup.sh
RUN apt update && sleep 100

Expected behavior No warning messages

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here, specify if already has another NodeJS version or if trying to re-install the current version.

wooque avatar May 22 '25 22:05 wooque