zital debian Posted Thursday at 07:13 AM Posted Thursday at 07:13 AM (edited) ``` root@opi5 /etc/apt/sources.list.d# apt-get update Hit:1 http://deb.debian.org/debian trixie-backports InRelease Hit:2 http://deb.debian.org/debian trixie InRelease Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://security.debian.org trixie-security InRelease Hit:5 https://github.armbian.com/configng stable InRelease Hit:6 http://mirror.vinehost.net/armbian/apt trixie InRelease Reading package lists... Done W: https://github.armbian.com/configng/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian' ``` ``` root@opi5 /etc/apt/sources.list.d# apt-get update --audit Hit:1 http://deb.debian.org/debian trixie-backports InRelease Hit:2 http://deb.debian.org/debian trixie InRelease Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://security.debian.org trixie-security InRelease Hit:5 https://github.armbian.com/configng stable InRelease Hit:6 http://mirror.vinehost.net/armbian/apt trixie InRelease Reading package lists... Done W: https://github.armbian.com/configng/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details A: https://github.armbian.com/configng/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 is not bound: No binding signature at time 2025-09-08T18:12:20Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Missing key 8CFA83D13EB2181EEF5843E41EB30FAF236099FE, which is needed to verify signature. N: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian' ``` **/etc/apt/sources.list.d/armbian-config.sources** ``` Types: deb URIs: https://github.armbian.com/configng Suites: stable Components: main Signed-By: /usr/share/keyrings/armbian.gpg ``` **/etc/apt/sources.list.d/armbian.sources** ``` Types: deb URIs: http://apt.armbian.com/ Suites: trixie Components: main trixie-utils trixie-desktop Signed-By: /etc/apt/trusted.gpg.d/armbian.gpg ``` **/etc/apt/sources.list.d/debian-backports.sources** ``` # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian/ Suites: trixie-backports Components: main contrib non-free non-free-firmware Signed-By: ``` **/etc/apt/sources.list.d/debian.sources** ``` # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian/ Suites: trixie Components: main contrib non-free non-free-firmware Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg # Modernized from /etc/apt/sources.list Types: deb URIs: http://deb.debian.org/debian/ Suites: trixie-updates Components: main contrib non-free non-free-firmware Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg # Modernized from /etc/apt/sources.list Types: deb URIs: http://security.debian.org/ Suites: trixie-security Components: main contrib non-free non-free-firmware Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg ``` How to fix it? Edited Thursday at 07:13 AM by zital debian 0 Quote
tabrisnet Posted 9 hours ago Posted 9 hours ago Googling suggests the need for Armbian to re-issue their signing keys. Note, I don't think this means they have to generate a new one. Just re-sign it. https://www.redhat.com/en/blog/updating-gpg-keys-for-fedora-and-rhel https://github.com/fwupd/fwupd/issues/7124 @Igor 0 Quote
Igor Posted 1 hour ago Posted 1 hour ago We already did that. I think the problem is that our keys are not packed (yet) but added at build time. When a person upgrades from Bookworm to Trixie, this will show up, while on new Trixie images this shouldn't manifest. @zital debian Is this the case? https://github.com/armbian/configng/commit/5d866b9b105bfd46cb341c21c70ba76e32e1fea2 We are signing with old and new key (which is aligned with current standards) since then. 0 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.