I upgraded to Debian trixie and noticed that `apt update` results in errors for the prosody repository. This seems to be caused by an insecure signing key: ``` # apt update ... Hit:8 http://packages.prosody.im/debian trixie InRelease Err:8 http://packages.prosody.im/debian trixie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://packages.prosody.im/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Failed to fetch http://packages.prosody.im/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ```

I was able to work around this by creating a file /etc/crypto-policies/back-ends/apt-sequoia.config with ``` [hash_algorithms] sha1.second_preimage_resistance = "always" [asymmetric_algorithms] dsa1024 = "always" ```

Thanks for the report. We are aware of this and have planned to replace this key soon. https://packages.prosody.im/debian/pubkey-new.asc will be the new key and https://packages.prosody.im/debian/package-key-rotation-2025-02-14.asc is a statement signed by the previous key

• tags Component-Builder Status-Started

Hello Prosody Team What is the Status on this matter? I do not seem to be able to get the key to work on Ubuntu Noble. Thanks!

We are working on it, announcement coming soon.

Thank you very much for your effort! We are running Prosody on Ubuntu Noble and use the following workaround: https://support.plesk.com/hc/en-us/articles/31896680837527-System-updates-fail-to-be-installed-on-Plesk-server-with-Ubuntu-24-04-OS-and-Imunify-installed-The-following-signatures-were-invalid-9EE467641C635726A184D64B8C55A6628608CB71-untrusted-public-key-algorithm-dsa1024

Thank you for the update Zash, if you could let us know through this Issue as soon as it is available that would be great. Thanks, all the best.

MattJ updated our package repository page with new installation instructions: https://prosody.im/download/package_repository Importantly, we will be updating the signing key for our packages (new fingerprint AD3B912769C5F962DCBA7956F7A37EB33D0B25D7). Existing deployments which use our package repository will need to update the repository configuration before Monday 4th August, or installation/updates of Prosody will stop working. Instructions are at the link above. As this documentation is new, feedback is much welcome!

I hope you don't mind but just for the record I've uploaded the new signing key to a couple of keyservers (it took me a while to get the key location as the docs didn't clearly indicate where can I get the full key).

@Zash @Wiktor how do I actualy update the key? I used the instructions Zash provided in https://prosody.im/download/package_repository and removed everything before released to source files and old keys. And here I am still getting this output: W: GPG error: http://packages.prosody.im/debian noble InRelease: The following signatures were invalid: 107D65A0A148C237FDF00AB47393D7E674D9DBB5 (untrusted public key algorithm: dsa1024) E: The repository 'http://packages.prosody.im/debian noble InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.

All you have to do once you updated the key(s) on your end is to wait for us to re-sign the repo with the new key. Once we do it should start working on trixie.

I see that the prosody.sources file (at least for Ubuntu noble) at https://prosody.im/downloads/repos/noble/prosody.sources is using DEB822 format, and the Signed-By option uses an embedded GPG public key block. In Ubuntu noble, the man page for sources.list, in the description of the Signed-By option, it states: The option may also be set directly to an embedded GPG public key block. Special care is needed to encode the empty line with leading spaces and "." Your prosody.sources file is not following this "special care" advice. The encoding of the empty line does not include the "." I don't know if this will cause any problems but, just to be safe, I suggest you follow that advice.

Seemed to work without the `.`, but it's added now.

We have now switched the repo to the new key and it seems to work on some different Debian and Ubuntu versions (tested mostly in containers).

• tags Status-Fixed
• owner Zash

It appears to be fine on my Ubuntu 24.04 noble system (not in a container). With the fix in place, Prosody updated from 13.0.1 to 13.0.2. It's being used for a self-hosted Jitsi Meet installation. Thanks for fixing this.

Today I applied this new key with ny ubuntu/24.04 LTS (noble) and it worked without the dsa1024 error. Great! But, I tried with ubuntu/24.10 (oracular) and I got the error. As of 8/9/2025. So maybe you haven't applied your new key to that repo yet. Just FYI.

Oracular reached end of life on July 10: https://wiki.ubuntu.com/Releases#End_of_Life