trixie apt warning: "Policy will reject signature within a year"

[zital debian]

```

root@opi5 /etc/apt/sources.list.d# apt-get update
Hit:1 http://deb.debian.org/debian trixie-backports InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease        
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://security.debian.org trixie-security InRelease 
Hit:5 https://github.armbian.com/configng stable InRelease                                            
Hit:6 http://mirror.vinehost.net/armbian/apt trixie InRelease
Reading package lists... Done
W: https://github.armbian.com/configng/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'

```

 

```

root@opi5 /etc/apt/sources.list.d# apt-get update --audit
Hit:1 http://deb.debian.org/debian trixie-backports InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease                                                                
Hit:3 http://deb.debian.org/debian trixie-updates InRelease                                                        
Hit:4 http://security.debian.org trixie-security InRelease                                                         
Hit:5 https://github.armbian.com/configng stable InRelease                                                         
Hit:6 http://mirror.vinehost.net/armbian/apt trixie InRelease
Reading package lists... Done
W: https://github.armbian.com/configng/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
A: https://github.armbian.com/configng/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 is not bound:
              No binding signature at time 2025-09-08T18:12:20Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
   Missing key 8CFA83D13EB2181EEF5843E41EB30FAF236099FE, which is needed to verify signature.
N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'

```

 

**/etc/apt/sources.list.d/armbian-config.sources**

```

Types: deb
URIs: https://github.armbian.com/configng
Suites: stable
Components: main
Signed-By: /usr/share/keyrings/armbian.gpg

```

 

**/etc/apt/sources.list.d/armbian.sources**

```

Types: deb
URIs: http://apt.armbian.com/
Suites: trixie
Components: main  trixie-utils trixie-desktop
Signed-By: /etc/apt/trusted.gpg.d/armbian.gpg

```

 

**/etc/apt/sources.list.d/debian-backports.sources**

```

# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie-backports
Components: main  contrib non-free non-free-firmware
Signed-By:

```

 

**/etc/apt/sources.list.d/debian.sources**

```

# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie
Components: main  contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie-updates
Components: main  contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://security.debian.org/
Suites: trixie-security
Components: main  contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

```

 

How to fix it?

Edited September 11, 2025 by zital debian

[tabrisnet]

Googling suggests the need for Armbian to re-issue their signing keys. Note, I don't think this means they have to generate a new one. Just re-sign it.

https://www.redhat.com/en/blog/updating-gpg-keys-for-fedora-and-rhel

https://github.com/fwupd/fwupd/issues/7124

@Igor

[Igor]

We already did that. I think the problem is that our keys are not packed (yet) but added at build time. When a person upgrades from Bookworm to Trixie, this will show up, while on new Trixie images this shouldn't manifest. @zital debian Is this the case?

https://github.com/armbian/configng/commit/5d866b9b105bfd46cb341c21c70ba76e32e1fea2

We are signing with old and new key (which is aligned with current standards) since then.

[laibsch]

You can add APA to your system and as one of the benefits get a managed GPG key so you should not run into this issue again in the future.

[zital debian]

@Igor is the case, I upgraded from bookworm to trixie

[Igor]

4 hours ago, zital debian said:

I upgraded from bookworm to trixie

OK. I think workaround is to re-download / re-install armbian.key from repository. As key was already changed.

[blood]

I also upgraded from bookworm to trixie and saw this warning. I can confirm that Igor's suggested workaround addresses it:

wget https://apt.armbian.com/armbian.key
gpg --dearmor < armbian.key | sudo tee /usr/share/keyrings/armbian.gpg > /dev/null

apt is now happy with the armbian repo.

[zital debian]

@blood like a charm dude

[callegar]

@blood This fixed the issue with the configng repo, but I am still getting the warning for the main repo:
```

Warning: http://apt.armbian.com/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://apt.armbian.com/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
  Signing key on DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 is not bound:
             No binding signature at time 2025-11-16T01:37:58Z
    because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
    because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
  Missing key 8CFA83D13EB2181EEF5843E41EB30FAF236099FE, which is needed to verify signature.
```

[callegar]

Apparently the key needs to go to `/etc/apt/trusted.gpg.d/armbian.gpg` too...