PSA: upcoming GPG key change for packages.georchestra.org debian repo
19 views
Skip to first unread message
Landry Breuil
Jan 9, 2026, 6:19:43 AMJan 9
to georc...@googlegroups.com
Hi,
while working on an update to debian trixie, i stumbled upon the fact
that the gpg key in use for out debian repository at
https://packages.georchestra.org used SHA-1, which debian now loudly
complains about:
Signing key on ADE7E09E8F18256CF8876B43F7F623A6B9F6E131 is not bound:
No binding signature at time 2025-08-04T13:20:47Z
because: Policy rejected non-revocation signature
(PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
steps taken:
- creating a new gpg key with modern standards, now available at
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
- re-signed the 'master' suite of the debian repo with that key, and
after adapting the debian repo configuration, confirmed that apt was
happy with that new signing key.
so *IFF* you use our debian repo from https://packages.georchestra.org,
i plan to change the signing key for the new one before the end of the
month (and re-sign the stable repositories suites 24.0.x & 25.0.x), i'll
probably post a mail here when this is done.
so please plan to update your configuration for the new key, and while
at it you might want to switch to the 'new' deb822 debian repository
configuration layout, as shown on
https://github.com/georchestra/ansible/issues/148#issuecomment-3728491489
(the procedure is now all fully documented in a github issue in an
internal repository)
--
Landry Breuil
while working on an update to debian trixie, i stumbled upon the fact
that the gpg key in use for out debian repository at
https://packages.georchestra.org used SHA-1, which debian now loudly
complains about:
Signing key on ADE7E09E8F18256CF8876B43F7F623A6B9F6E131 is not bound:
No binding signature at time 2025-08-04T13:20:47Z
because: Policy rejected non-revocation signature
(PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
steps taken:
- creating a new gpg key with modern standards, now available at
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
- re-signed the 'master' suite of the debian repo with that key, and
after adapting the debian repo configuration, confirmed that apt was
happy with that new signing key.
so *IFF* you use our debian repo from https://packages.georchestra.org,
i plan to change the signing key for the new one before the end of the
month (and re-sign the stable repositories suites 24.0.x & 25.0.x), i'll
probably post a mail here when this is done.
so please plan to update your configuration for the new key, and while
at it you might want to switch to the 'new' deb822 debian repository
configuration layout, as shown on
https://github.com/georchestra/ansible/issues/148#issuecomment-3728491489
(the procedure is now all fully documented in a github issue in an
internal repository)
--
Landry Breuil
Landry Breuil
Jan 26, 2026, 4:04:48 AM (8 days ago) Jan 26
to georc...@googlegroups.com
Hi,
the new key has been used to re-sign the 24.0.x and 25.0.x repositories,
so if you get the following message upon apt update:
Sub-process /usr/bin/sqv returned an error code (1), error message
is: Missing key 1DE188B92C436D52B9701B4CA95824F8D9681323, which is
needed to verify signature.
you need to update your sources.list entry to point the key at the new
one, to fetch from
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
https://packages.georchestra.org/ has been updated to only document/use
the new key, the old one can be safely removed.
Landry
the new key has been used to re-sign the 24.0.x and 25.0.x repositories,
so if you get the following message upon apt update:
Sub-process /usr/bin/sqv returned an error code (1), error message
is: Missing key 1DE188B92C436D52B9701B4CA95824F8D9681323, which is
needed to verify signature.
you need to update your sources.list entry to point the key at the new
one, to fetch from
http://packages.georchestra.org/debian/p...@georchestra.org.gpg.pubkey
https://packages.georchestra.org/ has been updated to only document/use
the new key, the old one can be safely removed.
Landry
Pierre Jégo
Jan 29, 2026, 9:29:47 AM (5 days ago) Jan 29
to georchestra
Thanks @Landry
Reply all
Reply to author
Forward
0 new messages