apt, SHA-1 keys + 2026-02-01
You might have seen Policy will reject signature within a year warnings in apt(-get) update runs like this:
root@424812bd4556:/# apt update
Get:1 http://foo.example.org/debian demo InRelease [4229 B]
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
Get:5 http://foo.example.org/debian demo/main amd64 Packages [1097 B]
Fetched 5326 B in 0s (43.2 kB/s)
All packages are up to date.
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
root@424812bd4556:/# apt --audit update
Hit:1 http://foo.example.org/debian demo InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
All packages are up to date.
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://foo.example.org/debian/dists/demo/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound:
No binding signature at time 2024-06-19T10:33:47Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: The sources.list(5) entry for 'http://foo.example.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'http://foo.example.org/debian'
Audit: Consider migrating all sources.list(5) entries to the deb822 .sources format
Audit: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Audit: See apt-secure(8) for best practices in configuring repository signing.
Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.
If you ignored this for the last year, I would like to tell you that 2026-02-01 is not that far away (hello from the past if you’re reading this because you’re already affected).
Let’s simulate the future:
root@424812bd4556:/# apt --update -y install faketime [...] root@424812bd4556:/# export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 FAKETIME="2026-08-29 23:42:11" root@424812bd4556:/# date Sat Aug 29 23:42:11 UTC 2026 root@424812bd4556:/# apt update Get:1 http://foo.example.org/debian demo InRelease [4229 B] Hit:2 http://deb.debian.org/debian trixie InRelease Err:1 http://foo.example.org/debian demo InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound: No binding signature at time 2024-06-19T10:33:47Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z [...] Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://foo.example.org/debian demo InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound: No binding signature at time 2024-06-19T10:33:47Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z [...] root@424812bd4556:/# echo $? 100
Now, the proper solution would have been to fix the signing key underneath (via e.g. sq cert lint ‐‐fix ‐‐cert-file $PRIVAT_KEY_FILE > $PRIVAT_KEY_FILE-fixed).
If you don’t have access to the according private key (e.g. when using an upstream repository that has been ignoring this issue), you’re out of luck for a proper fix.
But there’s a workaround for the apt situation (related see apt commit 0989275c2f7afb7a5f7698a096664a1035118ebf):
root@424812bd4556:/# cat /usr/share/apt/default-sequoia.config # Default APT Sequoia configuration. To overwrite, consider copying this # to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the # desired values. [asymmetric_algorithms] dsa2048 = 2024-02-01 dsa3072 = 2024-02-01 dsa4096 = 2024-02-01 brainpoolp256 = 2028-02-01 brainpoolp384 = 2028-02-01 brainpoolp512 = 2028-02-01 rsa2048 = 2030-02-01 [hash_algorithms] sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories sha224 = 2026-02-01 [packets] signature.v3 = 2026-02-01 # Extend the expiry
Adjust this according to your needs:
root@424812bd4556:/# mkdir -p /etc/crypto-policies/back-ends/ root@424812bd4556:/# cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config root@424812bd4556:/# $EDITOR /etc/crypto-policies/back-ends/apt-sequoia.config root@424812bd4556:/# cat /etc/crypto-policies/back-ends/apt-sequoia.config # APT Sequoia override configuration [asymmetric_algorithms] dsa2048 = 2024-02-01 dsa3072 = 2024-02-01 dsa4096 = 2024-02-01 brainpoolp256 = 2028-02-01 brainpoolp384 = 2028-02-01 brainpoolp512 = 2028-02-01 rsa2048 = 2030-02-01 [hash_algorithms] sha1.second_preimage_resistance = 2026-09-01 # Extend the expiry for legacy repositories sha224 = 2026-09-01 [packets] signature.v3 = 2026-02-01 # Extend the expiry
Then we’re back into the original situation, being a warning instead of an error:
root@424812bd4556:/# apt update Hit:1 http://deb.debian.org/debian trixie InRelease Get:2 http://foo.example.org/debian demo InRelease [4229 B] Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://deb.debian.org/debian-security trixie-security InRelease Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details [..]
Please note that this is a workaround, and not a proper solution.