pgp key for debian is no more accepted

[EricV2]

Err:14 https://repos.codelite.org/debian trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 7716412FB5B50060D47CF42B6856E1DB1AC82609 is not bound: No binding signature at time 2025-12-01T10:15:50Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

You should probably create a new pgp key with other verification than SHA1

[danielfdickinson]

Here is the full message:

Get:4 https://repos.codelite.org/debian trixie InRelease [2,064 B]         
Err:4 https://repos.codelite.org/debian trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 7716412FB5B50060D47CF42B6856E1DB1AC82609 is not bound:            No binding signature at time 2025-12-01T10:15:50Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: https://repos.codelite.org/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 7716412FB5B50060D47CF42B6856E1DB1AC82609 is not bound:            No binding signature at time 2025-12-01T10:15:50Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'https://repos.codelite.org/debian trixie InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

[danielfdickinson]

I have tried setting various combinations of these (i.e. not commented):

#Allow-Weak: yes
#Allow-Insecure: yes
#Allow-Downgrade-To-Insecure: yes
#Trusted: yes

but they do not appear to work with a signed repository.

Not that it is recommended to use them anyway.

[danielfdickinson]

Here is some info from the apt-secure (8) man page, in case it helps.

To generate keys suitable for use in APT using GnuPG, you will need to use the gpg --export-options export-minimal [--armor] --export command. Earlier solutions involving --keyring file --import no longer work with recent GnuPG versions as they use a new internal format ("GPG keybox database").

REPOSITORY CONFIGURATION
       If you want to provide archive signatures in an archive under your maintenance you have to:

       •   Create a toplevel Release file, if it does not exist already. You can do this by running apt-ftparchive release (provided in apt-utils).

       •   Sign it. You can do this by running gpg --clearsign -o InRelease Release and gpg -abs -o Release.gpg Release.

       •   Publish the key fingerprint, so that your users will know what key they need to import in order to authenticate the files in the archive. It is best to ship your key in its own keyring package like Debian does with debian-archive-keyring to
           be able to distribute updates and key transitions automatically later.

       •   Provide instructions on how to add your archive and key. If your users can't acquire your key securely the chain of trust described above is broken. How you can help users add your key depends on your archive and target audience ranging from
           having your keyring package included in another archive users already have configured (like the default repositories of their distribution) to leveraging the web of trust.

[eranif]

@dghart

[EricV2]

I have opened the same type of bug for other organizations, and it has been fixed sometimes in half a day. Even Microsoft did fix it for edge browser and other linux apps.

I have seen new keys generated at the root of the repository and tried the last one but the repository files Release and other have not been updated correctly...

OpenPGP : https://repos.codelite.org/debian trixie InRelease : Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 7716412FB5B50060D47CF42B6856E1DB1AC82609, which is needed to verify signature.