Warning on stable Linux Debian by APT: Policy will reject signature within a year. SHA1 is not considered secure

postcd · August 29, 2025, 11:40am

$ lsb_release -d
Description: Debian GNU/Linux 13 (trixie)

$ sudo apt modernize-sources
Modernizing /etc/apt/sources.list.d/tor.list… 
Writing /etc/apt/sources.list.d/tor.sources

$ sudo apt --audit update
Hit:11  https://deb.torproject.org/torproject.org trixie InRelease
…
Warning: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z`
Notice: Skipping acquire of configured file ‘main/binary-i386/Packages’ as repository ‘https://deb.torproject.org/torproject.org` trixie InRelease’ doesn’t support architecture ‘i386’`

My architecture is x86_64, kernel amd64

$ find /etc/apt -iname “*tor*”
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg.dpkg-old
/etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg~
/etc/apt/apt.conf.d/01autoremove
/etc/apt/sources.list.d/tor.list.save
/etc/apt/sources.list.d/tor.list.bak
/etc/apt/sources.list.d/tor.sources

$ cat /etc/apt/sources.list.d/tor.sources
Types: deb deb-src
URIs:  https://deb.torproject.org/torproject.org/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/tor-archive-keyring.gpg

Please how to fix above mentioned apt warnings and can anything be done so this is fixed for everyone, not requiring manual research and fixing for every user?

Noino · August 29, 2025, 3:41pm

Related to this question re trixie, I guess.

Looks like the issue is still open:

Protium_serratum · August 29, 2025, 8:12pm

Could you run sudo apt install --only-upgrade deb.torproject.org-keyring and try again?

postcd · August 30, 2025, 3:04pm

I have been there already, that is closed topic and I have not found/understood how to solve what I have described.

From yours linked Gitlab issue, is linked https://salsa.debian.org/extrepo-team/extrepo-data/-/raw/master/repos/debian/torproject.yaml?ref_type=heads but when I have used it in/etc/apt/sources.list.d/tor.sources, it does not seem to be detected during “apt update”.

I had to remove lines:

---
torproject:

- other adjustments (like updating Suites: line) in order to avoid for example “Error: Malformed stanza 1 in source list /etc/apt/sources.list.d/tor.sources (type)” during “sudo apt update”.

So I reverted the .sources file back as it was (shown in my 1st post)

It returned: “deb.torproject.org-keyring is already the newest version (2025.08.08).”

it looks as if there is no workaround except maybe waiting for a devs to update mentioned keyring package.

picklebearfeather · September 29, 2025, 3:11pm

do we have an update on this problem? I am experiencing the same thing and I am trying to set up a tor-relay under debian trixie…