Warning on Debian 13 that within a year a signing key will be rejected
39 views
Skip to first unread message
jens.gr...@gmail.com
Oct 15, 2025, 7:00:23 AMOct 15
to bareos-users
Hello guys,
after upgrading a server to Debian 13 I get this warning when I do an 'apt update'.
root@gandalf# LC_ALL=C apt update --audit
Hit:1 https://download.bareos.org/current/Debian_13 InRelease
<snip>
All packages are up to date.
Warning: https://download.bareos.org/current/Debian_13/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://download.bareos.org/current/Debian_13/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 82834CF002D89BA55C1ED0AA42DA24A6DFEF9127 is not bound:
No binding signature at time 2025-10-09T09:15:50Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Hit:1 https://download.bareos.org/current/Debian_13 InRelease
<snip>
All packages are up to date.
Warning: https://download.bareos.org/current/Debian_13/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://download.bareos.org/current/Debian_13/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 82834CF002D89BA55C1ED0AA42DA24A6DFEF9127 is not bound:
No binding signature at time 2025-10-09T09:15:50Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
I've just looked up if I have the most recent key and at least I haven't found a newer one on the website.
Right now this is not an issue but as far as I understand the message it will be a problem from 2026-02-01. Are there any plans to create are more secure key (sorry if I mix up keys, signatures etc. because I'm not too familiar with these things).
Greetings, Jens
Bruno Friedmann (bruno-at-bareos)
Oct 15, 2025, 10:57:56 AMOct 15
to bareos-users
Hi Jens,
We got that issue reported once, but we never got a reproducible path for it.
Could you develop a bit more how your system was provisioned to get that error.
Regards.
If you have interesting details, you can reopen the issue and add them there.
jens.gr...@gmail.com
Oct 15, 2025, 12:51:15 PMOct 15
to bareos-users
Thank you for the Github link. I left a comment and I hope that someone will take care of it.
I'm not quite sure what you mean by "how your system was provisioned".
The system is a bare metal server. On this computer and with Debian 12 I did not see this error but after upgrading to Debian 13.
I installed the community edition of Bareos in the first place with the help of the script add_bareos_repositories.sh as described in the documentation.
Is that what you meant or do you need other information?
Greetings, Jens
jens.gr...@gmail.com
Oct 16, 2025, 2:23:57 AMOct 16
to bareos-users
I've done a little research and installed bareos on an LXC on a Proxmox host. And as Andreas Rogge described in the github comment I could not reproduce the error an that fresh install. You can read the details in my Github comment.
Long story short: If your key is too old (mine was from July 2023) you will have to download the key again from the bareos website and after that the apt warning will be gone.
Greetings, Jens
Bruno Friedmann (bruno-at-bareos)
Oct 16, 2025, 4:00:46 AMOct 16
to bareos-users
Thanks that help to determine how to reproduce the case.
We might want to force the refresh of the key when people run the add_bareos_repositories.sh script.
Reply all
Reply to author
Forward
0 new messages