Skip to content

Debian APT will not support SHA-1 after February 1, 2026 #28470

New issue
New issue
Open
Open
Debian APT will not support SHA-1 after February 1, 2026#28470
@rhymeswithmogul

Description

@rhymeswithmogul
rhymeswithmogul
opened on Sep 14, 2025

Describe the bug
The Keybase APT repository is using SHA-1 hashes, which will be deprecated and no longer valid as of February 1, 2026.

To Reproduce
Steps to reproduce the behavior:

  1. Upgrade to Debian 13 ("Trixie") or later, or a comparable Debian-based OS.
  2. Run apt update, or apt update --audit to see the full debugging output.
  3. See warning. It works for now, though.

Expected behavior
Signatures should be using an algorithm from the SHA-2 or SHA-3 families, instead of an algorithm that's been getting deprecated for fifteen years.

Screenshots

Warning: https://prerelease.keybase.io/deb/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://prerelease.keybase.io/deb/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 222B85B0F90BE2D24CFEB93F47484E50656D16C7 is not bound:
              No binding signature at time 2025-04-28T15:48:52Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: Repositories should provide a clear-signed InRelease file, but none found at http://linux.dropbox.com/debian/dists/trixie/InRelease.

Additional numbers
The number 345567

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions