I upgraded to Debian trixie and noticed that `apt update` results in errors for the prosody repository. This seems to be caused by an insecure signing key: ``` # apt update ... Hit:8 http://packages.prosody.im/debian trixie InRelease Err:8 http://packages.prosody.im/debian trixie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://packages.prosody.im/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Failed to fetch http://packages.prosody.im/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 107D65A0A148C237FDF00AB47393D7E674D9DBB5 is not bound: Policy rejected asymmetric algorithm because: DSA1024 is not considered secure since 2014-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ```

I was able to work around this by creating a file /etc/crypto-policies/back-ends/apt-sequoia.config with ``` [hash_algorithms] sha1.second_preimage_resistance = "always" [asymmetric_algorithms] dsa1024 = "always" ```

Thanks for the report. We are aware of this and have planned to replace this key soon. https://packages.prosody.im/debian/pubkey-new.asc will be the new key and https://packages.prosody.im/debian/package-key-rotation-2025-02-14.asc is a statement signed by the previous key

• tags Component-Builder Status-Started

Hello Prosody Team What is the Status on this matter? I do not seem to be able to get the key to work on Ubuntu Noble. Thanks!

We are working on it, announcement coming soon.

Thank you very much for your effort! We are running Prosody on Ubuntu Noble and use the following workaround: https://support.plesk.com/hc/en-us/articles/31896680837527-System-updates-fail-to-be-installed-on-Plesk-server-with-Ubuntu-24-04-OS-and-Imunify-installed-The-following-signatures-were-invalid-9EE467641C635726A184D64B8C55A6628608CB71-untrusted-public-key-algorithm-dsa1024

Thank you for the update Zash, if you could let us know through this Issue as soon as it is available that would be great. Thanks, all the best.

MattJ updated our package repository page with new installation instructions: https://prosody.im/download/package_repository Importantly, we will be updating the signing key for our packages (new fingerprint AD3B912769C5F962DCBA7956F7A37EB33D0B25D7). Existing deployments which use our package repository will need to update the repository configuration before Monday 4th August, or installation/updates of Prosody will stop working. Instructions are at the link above. As this documentation is new, feedback is much welcome!