Skip to content

Gluster apt repo broken for Debian 13/Trixie due to insecure SHA1 signature #62

New issue
New issue
Open
Open
Gluster apt repo broken for Debian 13/Trixie due to insecure SHA1 signature#62
@srstsavage

Description

@srstsavage
srstsavage
opened on Feb 5, 2026

The Gluster apt repository is broken for Debian 13/Trixie due to the use of an SHA1 signature.

$ cat /etc/apt/sources.list.d/gluster.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/gluster.asc] https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie main
$ sudo apt update
Hit:1 http://security.debian.org/debian-security trixie-security InRelease
Hit:2 http://ftp.us.debian.org/debian trixie InRelease                                           
Hit:3 http://ftp.us.debian.org/debian trixie-updates InRelease                                          
Get:4 https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease [2,101 B]
Err:4 https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F9C958A3AEE0D2184FAD1CBD43607F0DC2F8238C is not bound:            No binding signature at time 2023-11-08T14:04:10Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F9C958A3AEE0D2184FAD1CBD43607F0DC2F8238C is not bound:            No binding signature at time 2023-11-08T14:04:10Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

See related issue gluster/glusterfs#4607

As a temporary workaround, sysadmins can extend the date at which SHA1 signatures will be considered invalid by creating an override file at /etc/crypto-policies/back-ends/apt-sequoia.config and assigning sha1.second_preimage_resistance in [hash_algorithms] a future date, example:

[asymmetric_algorithms]
dsa2048 = 2024-02-01
dsa3072 = 2024-02-01
dsa4096 = 2024-02-01
brainpoolp256 = 2028-02-01
brainpoolp384 = 2028-02-01
brainpoolp512 = 2028-02-01
rsa2048  = 2030-02-01

[hash_algorithms]
sha1.second_preimage_resistance = 2027-02-01
sha224 = 2026-02-01

[packets]
signature.v3 = 2026-02-01

or by editing /usr/share/apt/default-sequoia.config directly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions