#1936 Debian trixie: DSA1024 signing key not considered secure

Reporter tibequadorian
Owner Nobody
Created
Updated
Stars ★★★ (5)
Tags
  • Priority-Medium
  • Type-Defect
  • Status-Started
  • Component-Builder
  1. tibequadorian on

    I upgraded to Debian trixie and noticed that `apt update` results in errors for the prosody repository. This seems to be caused by an insecure signing key: ``` # apt update ... Hit:8 http://packages.prosody.im/debian trixie InRelease Err:8 http://packages.prosody.im/debian trixie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://packages.prosody.im/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Failed to fetch http://packages.prosody.im/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ```

  2. tibequadorian on

    I was able to work around this by creating a file /etc/crypto-policies/back-ends/apt-sequoia.config with ``` [hash_algorithms] sha1.second_preimage_resistance = "always" [asymmetric_algorithms] dsa1024 = "always" ```

  3. Zash on

    Thanks for the report. We are aware of this and have planned to replace this key soon. https://packages.prosody.im/debian/pubkey-new.asc will be the new key and https://packages.prosody.im/debian/package-key-rotation-2025-02-14.asc is a statement signed by the previous key

    Changes
    • tags Component-Builder Status-Started
  4. rockontack on

    Hello Prosody Team What is the Status on this matter? I do not seem to be able to get the key to work on Ubuntu Noble. Thanks!

  5. Zash on

    We are working on it, announcement coming soon.

  6. Stefan Zugal on

    Thank you very much for your effort! We are running Prosody on Ubuntu Noble and use the following workaround: https://support.plesk.com/hc/en-us/articles/31896680837527-System-updates-fail-to-be-installed-on-Plesk-server-with-Ubuntu-24-04-OS-and-Imunify-installed-The-following-signatures-were-invalid-9EE467641C635726A184D64B8C55A6628608CB71-untrusted-public-key-algorithm-dsa1024

  7. rockontack on

    Thank you for the update Zash, if you could let us know through this Issue as soon as it is available that would be great. Thanks, all the best.

  8. Zash on

    MattJ updated our package repository page with new installation instructions: https://prosody.im/download/package_repository Importantly, we will be updating the signing key for our packages (new fingerprint AD3B912769C5F962DCBA7956F7A37EB33D0B25D7). Existing deployments which use our package repository will need to update the repository configuration before Monday 4th August, or installation/updates of Prosody will stop working. Instructions are at the link above. As this documentation is new, feedback is much welcome!

New comment

Not published. Used for spam prevention and optional update notifications.