[GH-ISSUE #1586] APT repository key still using SHA1 - now causing "Missing key" errors #1115

New issue

Closed

opened 2026-05-07 00:30:21 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:30:21 +02:00

Owner

Originally created by @Tealk on GitHub (Feb 1, 2026).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1586

Description:

The ntfy Debian repository at https://archive.heckel.io/apt/ is failing to update due to SHA1 signature deprecation (deadline: 2026-02-01).

Error Messages:

Err:3 https://archive.heckel.io/apt debian InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 1D5B8EDFB2476E53, which is needed to verify signature.

Warning: Failed to fetch https://archive.heckel.io/apt/dists/debian/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 1D5B8EDFB2476E53, which is needed to verify signature.

System Information:

Debian trixie
apt 3.x with Sequoia PGP signature verification

Root Cause:

The signing key CF871F1E8399DAEF470832661D5B8EDFB2476E53 carries only SHA1 self-signatures. As of February 1, 2026, Debian's apt policy rejects SHA1-based signatures .

Solution:

Update the repository signing key to use SHA256 or SHA512 for all signatures and re-sign the repository metadata accordingly .

Related Issues:

#1401
#1357

Originally created by @Tealk on GitHub (Feb 1, 2026). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1586 **Description:** The ntfy Debian repository at `https://archive.heckel.io/apt/` is failing to update due to SHA1 signature deprecation (deadline: 2026-02-01). **Error Messages:** ``` Err:3 https://archive.heckel.io/apt debian InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 1D5B8EDFB2476E53, which is needed to verify signature. Warning: Failed to fetch https://archive.heckel.io/apt/dists/debian/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 1D5B8EDFB2476E53, which is needed to verify signature. ``` **System Information:** - Debian trixie - apt 3.x with Sequoia PGP signature verification **Root Cause:** The signing key `CF871F1E8399DAEF470832661D5B8EDFB2476E53` carries only SHA1 self-signatures. As of February 1, 2026, Debian's apt policy rejects SHA1-based signatures . **Solution:** Update the repository signing key to use SHA256 or SHA512 for all signatures and re-sign the repository metadata accordingly . **Related Issues:** - #1401 - #1357

BreizhHardware closed this issue

2026-05-07 00:30:21 +02:00

BreizhHardware commented

2026-05-07 00:30:22 +02:00

Author

Owner

@binwiederhier commented on GitHub (Feb 1, 2026):

As per the two linked issues and the docs, this is not the official repo anymore. See https://docs.ntfy.sh/install/#debianubuntu-repository

@binwiederhier commented on GitHub (Feb 1, 2026): As per the two linked issues and the docs, this is not the official repo anymore. See https://docs.ntfy.sh/install/#debianubuntu-repository

BreizhHardware commented

2026-05-07 00:30:22 +02:00

Author

Owner

@Tealk commented on GitHub (Feb 1, 2026):

Oh sorry, I somehow missed that thing with the repo; I was probably too focused on the key.

@Tealk commented on GitHub (Feb 1, 2026): Oh sorry, I somehow missed that thing with the repo; I was probably too focused on the key.