Debian signing key will be invalid on 1 Feb 2026

quixotique · July 8, 2025, 12:43am

The current Debian signing key will cease to work on 1 Feb 2026, probably because of https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1092747.

This su terminal session says it all:

# apt update --audit
Hit:1 http://security.debian.org bookworm-security InRelease
Hit:2 http://ftp.au.debian.org/debian bookworm InRelease                                                                                                                                      
Hit:3 http://ftp.au.debian.org/debian bookworm-updates InRelease                                                                                                                              
Hit:4 http://ftp.au.debian.org/debian testing InRelease                                                                                                                                       
Get:5 https://apt.syncthing.net syncthing InRelease [17.5 kB]                    
Fetched 20.5 kB in 2s (8,768 B/s)
74 packages can be upgraded. Run 'apt list --upgradable' to see them.
Warning: https://apt.syncthing.net/dists/syncthing/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://apt.syncthing.net/dists/syncthing/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Missing key FBA2E162F2F44657B38F0309E5665F9BD5970C47, which is needed to verify signature.
   Signing key on 37C84554E7E0A261E4F76E1ED26E6ED000654A3E is not bound:
              No binding signature at time 2025-07-06T19:10:41Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

calmh · July 8, 2025, 6:13am

That is in fact the current key. Grab it from apt.syncthing.net.

This is an old one.

quixotique · July 8, 2025, 1:14pm

Thanks. The problem occurred because there was an old syncthing keyring file in /usr/share/keyrings, which is where Debian puts all its keyring files these days. Downloading the new keyring to /etc/apt/keyrings made no difference. Perhaps the instructions on apt.syncthing.net could be changed to use /usr/share/keyrings instead of /etc/apt/keyrings.

calmh · July 8, 2025, 3:08pm

The path has varied over time and depends on the kind of key. I believe /etc/apt/keyrings is correct under the circumstances, and note that our sources.list recommendation points to it explicitly.

macallik · July 30, 2025, 11:03am

I too had to update the relevant commands from ../etc/apt/.. to ../usr/share/.. for Debian to stop throwing errors.

Thanks for documenting the workaround @quixotique

Edit: More context from the Debian wiki:

If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead.