Warning on stable Linux Debian by APT: Policy will reject signature within a year. SHA1 is not considered secure

Support Core Tor
, ,
1

$ lsb_release -d
Description: Debian GNU/Linux 13 (trixie)

$ sudo apt modernize-sources
Modernizing /etc/apt/sources.list.d/tor.list… 
Writing /etc/apt/sources.list.d/tor.sources

$ sudo apt --audit update
Hit:11  https://deb.torproject.org/torproject.org trixie InRelease
…
Warning: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z`
Notice: Skipping acquire of configured file ‘main/binary-i386/Packages’ as repository ‘https://deb.torproject.org/torproject.org` trixie InRelease’ doesn’t support architecture ‘i386’`

My architecture is x86_64, kernel amd64

$ find /etc/apt -iname “*tor*”
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg.dpkg-old
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg~
/etc/apt/apt.conf.d/01autoremove
/etc/apt/sources.list.d/tor.list.save
/etc/apt/sources.list.d/tor.list.bak
/etc/apt/sources.list.d/tor.sources

$ cat /etc/apt/sources.list.d/tor.sources
Types: deb deb-src
URIs:  https://deb.torproject.org/torproject.org/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/tor-archive-keyring.gpg

Please how to fix above mentioned apt warnings and can anything be done so this is fixed for everyone, not requiring manual research and fixing for every user?

1 Like
2

Related to this question re trixie, I guess.

Looks like the issue is still open:

1 Like
3

Could you run sudo apt install --only-upgrade deb.torproject.org-keyring and try again?

4

I have been there already, that is closed topic and I have not found/understood how to solve what I have described.

From yours linked Gitlab issue, is linked https://salsa.debian.org/extrepo-team/extrepo-data/-/raw/master/repos/debian/torproject.yaml?ref_type=heads but when I have used it in/etc/apt/sources.list.d/tor.sources, it does not seem to be detected during “apt update”.

I had to remove lines:

---
torproject:
    • other adjustments (like updating Suites: line) in order to avoid for example “Error: Malformed stanza 1 in source list /etc/apt/sources.list.d/tor.sources (type)” during “sudo apt update”.

So I reverted the .sources file back as it was (shown in my 1st post)

It returned: “deb.torproject.org-keyring is already the newest version (2025.08.08).”

it looks as if there is no workaround except maybe waiting for a devs to update mentioned keyring package.

1 Like
5

do we have an update on this problem? I am experiencing the same thing and I am trying to set up a tor-relay under debian trixie…

6

I am having the same issure:

$ sudo apt install --only-upgrade deb.torproject.org-keyring
deb.torproject.org-keyring is already the newest version (2025.08.08).
Summary:
  Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 0
1 Like
7

so I successfully update the keyring. The hint about it was first Signing Key Insecure? - #5 by g0l4 then yours @Tobi

the keyring package for me was not installed. But you can safely remove the package and then reinstall it. IT should update correctly the key from what I experienced on my instances.

And according to the gitlab the Debian repository: policy will reject signature within a year: SHA1 is not considered secure (#1) · Issues · The Tor Project / TPA / debian / deb.torproject.org-keyring · GitLab , the ownership of the keys seems to have been transitioned correctly.

8

please mention the command to do it. I am up to date (apt) on Debian 13 (stable release).

$ apt list deb.torproject.org-keyring
deb.torproject.org-keyring/stable,now 2025.08.08 all [installed]

$ sudo apt update --audit

Audit: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

around 5 days remaining I think.

9

just uninstall the package. For me, I think I alreadyd did uninstall it months ago while waiting for the fix for the problem.

So uninstall the package deb.torproject.org-keyring with a simple apt remove and then install it again . This thing has no dependencies and is not a dependency either

10

Thank you, but in my case it not worked. The “apt update” warning appears despite package removed and then installed, reinstalled or purged.

ls /etc/apt/sources.list.d/ -A1|grep tor
tor.list.bak
tor.list.save
tor.sources

cat /etc/apt/sources.list.d/tor.sources
Types: deb deb-src
URIs: https://deb.torproject.org/torproject.org/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/tor-archive-keyring.gpg

gpg --show-keys /usr/share/keyrings/tor-archive-keyring.gpg
pub   rsa2048 2009-09-04 [SC] [expires: 2028-08-29]
      A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
uid                      deb.torproject.org archive signing key
sub   rsa2048 2009-09-04 [S] [expires: 2026-09-09]

this same key A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is advertised at Installation - Getting started - Tor — Tor under Debian section.

11

I think you did not understand me correctly.

So there are 2 packages.

Tor and deb.torproject.org-keyring

the last one is the one you need to remove or install if it not already done.

and the last one is also the one you need to uninstall and then re install if there is still a problem with the key

12

The line above is your problem: it does not refer to the keyring installed by the deb.torproject.org-keyring package. It’s another file, probably installed manually in the past. You should delete that old keyring file and replace the Signed-By line in your .sources file with:

Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg

This is the procedure according to Installation - Getting started - Tor — Tor

Let us know if that fixes the issue.

1 Like
13

Thanks for coming in and solving the issue.

In my case i did not have file:
/usr/share/keyrings/deb.torproject.org-keyring.gpg
but file:
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg

So I have moved away original file and replaced reference to it by a new file reference:

sudo mv /usr/share/keyrings/tor-archive-keyring.gpg /dev/shm
sudo sed -i “s|/usr/share/keyrings/tor-archive-keyring.gpg|/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg|g” /etc/apt/sources.list.d/tor.sources
sudo apt --audit update

returns no more key errors/warnings.

UPDATE (according to a following comment):

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null

got at Installation - Getting started - Tor — Tor
that command created the file and i have entered that file path in /etc/apt/sources.list.d/tor.sources
that works to avoid apt update warning/error.

14

Please don’t use /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg in your sources file: this file is deprecated and will be removed eventually from the deb.torproject.org-keyring package, which will cause problems for you in the future.

If you don’t have /usr/share/keyrings/deb.torproject.org-keyring.gpg already on your system, you can follow the instructions on our support page to download (and cryptographically verify) this file.

Once you have it on your system, installing the deb.torproject.org-keyring package will ensure it is kept up to date.

2 Likes
15

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.