OpenPGP signature verification failed (Debian stable)

I’m running Debian 13 and got following message when using apt:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verificat ion failed: https://apt.syncthing.net syncthing InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key FBA2E162F2F446 57B38F0309E5665F9BD5970C47, which is needed to verify signature. Signing key on 37C84554E7E0A261E4F76E1ED26E6ED000654A3E is not bound: No binding signature at time 2026-02-17T01:41:02Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z W: Failed to fetch https://apt.syncthing.net/dists/syncthing/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key F BA2E162F2F44657B38F0309E5665F9BD5970C47, which is needed to verify signature. Signing key on 37C84554E7E0A261E4F76E1ED26E6ED000654A3E is not bound: No binding signature at time 2026-02-17T01:41:02Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

I’ve already found apt.syncthing.net uses outdated gpg key - #3 by Nummer378 and Debian signing key will be invalid on 1 Feb 2026 and I did the following:

sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg

sudo cp /etc/apt/keyrings/syncthing-archive-keyring.gpg /usr/share/keyrings/
sudo apt-get update && sudo apt-get upgrade

I still got the issue at hand.

What am I missing in order to fix the issue?

Check your apt sources /etc/apt/sources.list.d/syncthing.list if you’re pinning the correct key. Also since you’re on 13, have you migrated to the new source format? In that case the filenames will have changed to something like syncthing.sources instead of .list.

Oh, I think that there is something else going on. I obviously installed syncthing via the extrepo method:

user@host ~ % cat /etc/apt/sources.list.d/extrepo_syncthing.sources
Components: stable
Types: deb
Architectures: amd64 i386 arm64 armhf armel
Suites: syncthing
Uris: https://apt.syncthing.net
Enabled: yes
Signed-By: /var/lib/extrepo/keys/syncthing.asc
user@host ~ % l /var/lib/extrepo/keys/syncthing.asc
-rw-r–r-- 1 root root 2476 Aug 19  2025 /var/lib/extrepo/keys/syncthing.asc
user@host ~ % l /usr/share/keyrings/syncthing-archive-keyring.gpg
-rw-r–r-- 1 root root 2585 Feb 23 09:24 /usr/share/keyrings/syncthing-archive-keyring.gpg
user@host ~ % file /usr/share/keyrings/syncthing-archive-keyring.gpg
/usr/share/keyrings/syncthing-archive-keyring.gpg: OpenPGP Public Key Version 4, Created Sun Nov 24 07:02:26 2024, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate
user@host ~ % file /var/lib/extrepo/keys/syncthing.asc
/var/lib/extrepo/keys/syncthing.asc: PGP public key block Public-Key (old)
user@host ~ %

I guess I need to figure out what public key format extrepo needs and then how to get the syncthing key into that format.

It’s our repo so our key?

Just download our current one and adapt the path of the Signed-By line.

That’s not the key that you updated, so there’s your problem.

Yes, I just did that and fixed the issue:

sudo vim /etc/apt/sources.list.d/extrepo_syncthing.sources

… and replace the outdated asc file with the new path to the gpg file. No need to convert to asc format. apt did accept the change and omitted the warning/error after that.

Thanks for sharing your thoughts with me!