PSA: upcoming GPG key change for packages.georchestra.org debian repo
3 views
Skip to first unread message
Landry Breuil
Jan 9, 2026, 6:19:43 AM (3 days ago) Jan 9
to georc...@googlegroups.com
Hi,
while working on an update to debian trixie, i stumbled upon the fact
that the gpg key in use for out debian repository at
https://packages.georchestra.org used SHA-1, which debian now loudly
complains about:
Signing key on ADE7E09E8F18256CF8876B43F7F623A6B9F6E131 is not bound:
No binding signature at time 2025-08-04T13:20:47Z
because: Policy rejected non-revocation signature
(PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
steps taken:
- creating a new gpg key with modern standards, now available at
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
- re-signed the 'master' suite of the debian repo with that key, and
after adapting the debian repo configuration, confirmed that apt was
happy with that new signing key.
so *IFF* you use our debian repo from https://packages.georchestra.org,
i plan to change the signing key for the new one before the end of the
month (and re-sign the stable repositories suites 24.0.x & 25.0.x), i'll
probably post a mail here when this is done.
so please plan to update your configuration for the new key, and while
at it you might want to switch to the 'new' deb822 debian repository
configuration layout, as shown on
https://github.com/georchestra/ansible/issues/148#issuecomment-3728491489
(the procedure is now all fully documented in a github issue in an
internal repository)
--
Landry Breuil
while working on an update to debian trixie, i stumbled upon the fact
that the gpg key in use for out debian repository at
https://packages.georchestra.org used SHA-1, which debian now loudly
complains about:
Signing key on ADE7E09E8F18256CF8876B43F7F623A6B9F6E131 is not bound:
No binding signature at time 2025-08-04T13:20:47Z
because: Policy rejected non-revocation signature
(PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
steps taken:
- creating a new gpg key with modern standards, now available at
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
- re-signed the 'master' suite of the debian repo with that key, and
after adapting the debian repo configuration, confirmed that apt was
happy with that new signing key.
so *IFF* you use our debian repo from https://packages.georchestra.org,
i plan to change the signing key for the new one before the end of the
month (and re-sign the stable repositories suites 24.0.x & 25.0.x), i'll
probably post a mail here when this is done.
so please plan to update your configuration for the new key, and while
at it you might want to switch to the 'new' deb822 debian repository
configuration layout, as shown on
https://github.com/georchestra/ansible/issues/148#issuecomment-3728491489
(the procedure is now all fully documented in a github issue in an
internal repository)
--
Landry Breuil
Reply all
Reply to author
Forward
0 new messages