Error updating Repository on Trixie #56

New Issue

Vloeck · 2026-02-02T19:28:29+01:00

Vloeck commented

2026-02-02 19:28:29 +01:00

When running apt update, I get the following error messages:

...
Hit:10 https://apt.jurisic.org/debian trixie InRelease
Err:10 https://apt.jurisic.org/debian trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound:
            No binding signature at time 2026-01-19T12:02:48Z 
            because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
            because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: An error occurred during the signature verification. The repository is not updated 
  and the previous index files will be used. OpenPGP signature verification 
  failed: https://apt.jurisic.org/debian trixie InRelease: Sub-process /usr/bin/sqv returned an 
  error code (1), error message is: Signing key on 20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound:
            No binding signature at time 2026-01-19T12:02:48Z   
            because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
            because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: Failed to fetch https://apt.jurisic.org/debian/dists/trixie/InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 
  20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound:            
            No binding signature at time 2026-01-19T12:02:48Z   
            because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   
            because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: Some index files failed to download. They have been ignored, or old ones used instead.

I think, this is related to #45

When running `apt update`, I get the following error messages: ``` ... Hit:10 https://apt.jurisic.org/debian trixie InRelease Err:10 https://apt.jurisic.org/debian trixie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound: No binding signature at time 2026-01-19T12:02:48Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: https://apt.jurisic.org/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound: No binding signature at time 2026-01-19T12:02:48Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: Failed to fetch https://apt.jurisic.org/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 20AE1C0A060D5FFA418AEDEE99EADCDA7E885BB2 is not bound: No binding signature at time 2026-01-19T12:02:48Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ``` I think, this is related to #45

ijurisic commented

2026-02-03 07:59:16 +01:00

Does anyone have a suggestion for what to replace SHA1 it with?

Vloeck commented

2026-02-03 09:42:42 +01:00

I do not know exactly, but I think SHA-256 and SHA-512 are the current hashing algorithms for apt.

Answer from ChatGPT (take with a grain of salt):

If the repo is YOUR OWN (custom/private repo)

You must re-sign the repository metadata with a modern key.

Steps:

Create a new GPG key (RSA 3072+ or ed25519)
Ensure:
- Digest: SHA-256 or stronger
- No SHA-1 certifications anywhere
Re-sign:
- Release
- InRelease
- Release.gpg

If you’re using reprepro or aptly, both already support this — you just need a new key.

I do not know exactly, but I think SHA-256 and SHA-512 are the current hashing algorithms for apt. Answer from ChatGPT (take with a grain of salt): --- ### If the repo is YOUR OWN (custom/private repo) You must re-sign the repository metadata with a modern key. Steps: 1. Create a new GPG key (RSA 3072+ or ed25519) 2. Ensure: - Digest: SHA-256 or stronger - No SHA-1 certifications anywhere 3. Re-sign: - `Release` - `InRelease` - `Release.gpg` If you’re using `reprepro` or `aptly`, both already support this — you just need a new key.

ijurisic commented

2026-02-03 10:51:52 +01:00

Please no advice from ChatGPT. I will check on Debian Wiki

Thanks

Please no advice from ChatGPT. I will check on Debian Wiki Thanks

ijurisic commented

2026-02-03 11:32:44 +01:00

Updated key

ijurisic closed this issue

2026-02-03 11:32:45 +01:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: ijurisic/nextcloud-deb#56