matomo-package
matomo-package copied to clipboard
matomo-org
Matomo apt repository key is too short and old
When following instructions at https://debian.matomo.org to add the URI as a source for the APT package system, you will run into problems when using the current Debian stable release: Trixie.
Problem :
~/matomo# gpg matomo-repository.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024 2013-12-19 [SC]
1FD752571FE36FF23F78F91B81E2E78B66FED89E
uid Piwik Open Source Analytics (Debian Package) <[email protected]>
sub elg4096 2013-12-19 [E]
Which lists the three problems:
- The signing key is very old (2013)
- The key is very short (1024) and can no longer be considered safe for this reason
- The short key is no longer usable in Debian (since Trixie)
Comments:
As an alternative on the net resources can be found pointing to the Ubuntu keyserver. This also does not work on Trixie. I believe it should be fixed at the root: https://debian.matomo.org
I know there is a workaround as explained here: https://ubuntuhandbook.org/index.php/2024/04/workaround-apt-warning-signature-key-uses-weak-algorithm/ This does not sound as a solution to me.
