client icon indicating copy to clipboard operation
client copied to clipboard
verified publisher icon keybase

Debian APT will not support SHA-1 after February 1, 2026

Open rhymeswithmogul opened this issue 4 months ago • 0 comments

Describe the bug The Keybase APT repository is using SHA-1 hashes, which will be deprecated and no longer valid as of February 1, 2026.

To Reproduce Steps to reproduce the behavior:

  1. Upgrade to Debian 13 ("Trixie") or later, or a comparable Debian-based OS.
  2. Run apt update, or apt update --audit to see the full debugging output.
  3. See warning. It works for now, though.

Expected behavior Signatures should be using an algorithm from the SHA-2 or SHA-3 families, instead of an algorithm that's been getting deprecated for fifteen years.

Screenshots

Warning: https://prerelease.keybase.io/deb/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://prerelease.keybase.io/deb/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 222B85B0F90BE2D24CFEB93F47484E50656D16C7 is not bound:
              No binding signature at time 2025-04-28T15:48:52Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: Repositories should provide a clear-signed InRelease file, but none found at http://linux.dropbox.com/debian/dists/trixie/InRelease.

Additional numbers The number 345567

rhymeswithmogul avatar Sep 14 '25 15:09 rhymeswithmogul