#1936 Debian trixie: DSA1024 signing key not considered secure
Reporter
tibequadorian
Owner
Nobody
Created
Updated
Stars
★★★ (5)
Tags
Priority-Medium
Type-Defect
Status-Started
Component-Builder
tibequadorian
on
I upgraded to Debian trixie and noticed that `apt update` results in errors for the prosody repository. This seems to be caused by an insecure signing key:
```
# apt update
...
Hit:8 http://packages.prosody.im/debian trixie InRelease
Err:8 http://packages.prosody.im/debian trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z
Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://packages.prosody.im/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z
Warning: Failed to fetch http://packages.prosody.im/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z
Warning: Some index files failed to download. They have been ignored, or old ones used instead.
```
tibequadorian
on
I was able to work around this by creating a file /etc/crypto-policies/back-ends/apt-sequoia.config with
```
[hash_algorithms]
sha1.second_preimage_resistance = "always"
[asymmetric_algorithms]
dsa1024 = "always"
```
Thank you for the update Zash, if you could let us know through this Issue as soon as it is available that would be great.
Thanks, all the best.
Zash
on
MattJ updated our package repository page with new installation instructions: https://prosody.im/download/package_repository
Importantly, we will be updating the signing key for our packages (new fingerprint AD3B912769C5F962DCBA7956F7A37EB33D0B25D7). Existing deployments which use our package repository will need to update the repository configuration before Monday 4th August, or installation/updates of Prosody will stop working. Instructions are at the link above. As this documentation is new, feedback is much welcome!
I upgraded to Debian trixie and noticed that `apt update` results in errors for the prosody repository. This seems to be caused by an insecure signing key: ``` # apt update ... Hit:8 http://packages.prosody.im/debian trixie InRelease Err:8 http://packages.prosody.im/debian trixie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://packages.prosody.im/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Failed to fetch http://packages.prosody.im/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ```
I was able to work around this by creating a file /etc/crypto-policies/back-ends/apt-sequoia.config with ``` [hash_algorithms] sha1.second_preimage_resistance = "always" [asymmetric_algorithms] dsa1024 = "always" ```
Thanks for the report. We are aware of this and have planned to replace this key soon. https://packages.prosody.im/debian/pubkey-new.asc will be the new key and https://packages.prosody.im/debian/package-key-rotation-2025-02-14.asc is a statement signed by the previous key
ChangesHello Prosody Team What is the Status on this matter? I do not seem to be able to get the key to work on Ubuntu Noble. Thanks!
We are working on it, announcement coming soon.
Thank you very much for your effort! We are running Prosody on Ubuntu Noble and use the following workaround: https://support.plesk.com/hc/en-us/articles/31896680837527-System-updates-fail-to-be-installed-on-Plesk-server-with-Ubuntu-24-04-OS-and-Imunify-installed-The-following-signatures-were-invalid-9EE467641C635726A184D64B8C55A6628608CB71-untrusted-public-key-algorithm-dsa1024
Thank you for the update Zash, if you could let us know through this Issue as soon as it is available that would be great. Thanks, all the best.
MattJ updated our package repository page with new installation instructions: https://prosody.im/download/package_repository Importantly, we will be updating the signing key for our packages (new fingerprint AD3B912769C5F962DCBA7956F7A37EB33D0B25D7). Existing deployments which use our package repository will need to update the repository configuration before Monday 4th August, or installation/updates of Prosody will stop working. Instructions are at the link above. As this documentation is new, feedback is much welcome!