[GH-ISSUE #1357] Policy will reject signature within a year, see --audit for details #957

New issue

Closed

opened 2026-05-07 00:29:06 +02:00 by BreizhHardware · 9 comments

BreizhHardware commented 2026-05-07 00:29:06 +02:00

Owner

Copy link

Originally created by @skibbipl on GitHub (May 30, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1357

💡 Idea
New debian apt tightened security for package repositories, current key for https://archive.heckel.io/apt/dists/debian/InRelease will be rejected next year.

Warning: https://archive.heckel.io/apt/dists/debian/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://archive.heckel.io/apt/dists/debian/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on CF871F1E8399DAEF470832661D5B8EDFB2476E53 is not bound:
              No binding signature at time 2025-05-30T00:37:18Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

💻 Target components
ntfy debian repository https://archive.heckel.io/apt/dists/debian/InRelease

Originally created by @skibbipl on GitHub (May 30, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1357 <!-- Before you submit, consider asking on Discord/Matrix instead. You'll usually get an answer sooner, and there are more people there to help! - Discord: https://discord.gg/cT7ECsZj9w - Matrix: https://matrix.to/#/#ntfy:matrix.org / https://matrix.to/#/#ntfy-space:matrix.org --> :bulb: **Idea** New debian apt tightened security for package repositories, current key for https://archive.heckel.io/apt/dists/debian/InRelease will be rejected next year. ``` Warning: https://archive.heckel.io/apt/dists/debian/InRelease: Policy will reject signature within a year, see --audit for details Audit: https://archive.heckel.io/apt/dists/debian/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CF871F1E8399DAEF470832661D5B8EDFB2476E53 is not bound: No binding signature at time 2025-05-30T00:37:18Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z ``` :computer: **Target components** ntfy debian repository https://archive.heckel.io/apt/dists/debian/InRelease

BreizhHardware 2026-05-07 00:29:06 +02:00

• closed this issue
• added the
  enhancement
  label

BreizhHardware commented 2026-05-07 00:29:06 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (May 30, 2025):

Thanks. I may just have to move to a new repo anyway.

<!-- gh-comment-id:2922237926 --> @binwiederhier commented on GitHub (May 30, 2025): Thanks. I may just have to move to a new repo anyway.

BreizhHardware commented 2026-05-07 00:29:06 +02:00

Author

Owner

Copy link

@skibbipl commented on GitHub (May 30, 2025):

Recently debian maintainers packaged ntfy, however they have some issues packaging GUI part of ntfy. Perhaps you could cooperate with them to properly package ntfy in default debian repo?

<!-- gh-comment-id:2922362159 --> @skibbipl commented on GitHub (May 30, 2025): Recently debian maintainers packaged [ntfy](https://packages.debian.org/sid/ntfy), however they have some issues packaging GUI part of ntfy. Perhaps you could cooperate with them to properly package ntfy in default debian repo?

BreizhHardware commented 2026-05-07 00:29:06 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (May 30, 2025):

I offered my help yesterday in #1258. I wasn't aware about the GUI issues. I just found this though: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098866; I created these issues:

• https://github.com/binwiederhier/ntfy/issues/1358
• https://github.com/binwiederhier/ntfy/issues/1359

/cc @thekhalifa

<!-- gh-comment-id:2922806821 --> @binwiederhier commented on GitHub (May 30, 2025): I offered my help yesterday in #1258. I wasn't aware about the GUI issues. I just found this though: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098866; I created these issues: - https://github.com/binwiederhier/ntfy/issues/1358 - https://github.com/binwiederhier/ntfy/issues/1359 /cc @thekhalifa

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@skibbipl commented on GitHub (May 30, 2025):

That's my BR 😄 It would be sweet to have properly packaged ntfy in debian repo ❤

<!-- gh-comment-id:2922814112 --> @skibbipl commented on GitHub (May 30, 2025): That's my BR 😄 It would be sweet to have properly packaged ntfy in debian repo ❤

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@Offerel commented on GitHub (Aug 18, 2025):

As a workaround, I can manually install ntfy via dpkg. Enabling the Third-Party Repo seems to work. Also when i extend the SHA1 Key in debian config (/usr/share/apt/default-sequoia.config), i cant list the third-party repo with apt-cache showpkg ntfy. This only lists the Debian own repo.

Is there some way to use the third-party repo, in favor of the debian repo?

<!-- gh-comment-id:3197413610 --> @Offerel commented on GitHub (Aug 18, 2025): As a workaround, I can manually install ntfy via dpkg. Enabling the Third-Party Repo seems to work. Also when i extend the SHA1 Key in debian config (/usr/share/apt/default-sequoia.config), i cant list the third-party repo with `apt-cache showpkg ntfy`. This only lists the Debian own repo. Is there some way to use the third-party repo, in favor of the debian repo?

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@jniggemann commented on GitHub (Aug 31, 2025):

Underlying cause

Internally, apt uses "Sequoia PGP" to verify signatures - hence the message that /usr/bin/sqv returnes an error code in your example above. By default, sqv is configured to accept the (old and broken) SHA1 hash algorithm only until Feb 1st 2026.

How to resolve this issue

There's nothing you can do besides raising awareness for this issue.
This issue can only be resolved by the project team, who need to change their repo signing key to one that does not use SHA1.

How to temporarily suppress this warning until this repo uses another key

To reconfigure sqv, copy /usr/share/apt/default-sequoia.config to /etc/crypto-policies/back-ends/apt-sequoia.config, and change the date in the last line from 2026-02-01 to ex. 2027-02-01. (more)

Please think about possible implications and do not forget to revert this, once the project team has switched to another key.

<!-- gh-comment-id:3239867229 --> @jniggemann commented on GitHub (Aug 31, 2025): ## Underlying cause Internally, apt uses "Sequoia PGP" to verify signatures - hence the message that `/usr/bin/sqv` returnes an error code in your example above. By default, sqv is configured to accept the (old and broken) SHA1 hash algorithm only until Feb 1st 2026. ## How to resolve this issue There's nothing you can do besides raising awareness for this issue. This issue can only be resolved by the project team, who need to change their repo signing key to one that does not use SHA1. ## How to temporarily suppress this warning until this repo uses another key To reconfigure `sqv`, copy `/usr/share/apt/default-sequoia.config` to `/etc/crypto-policies/back-ends/apt-sequoia.config`, and change the date in the last line from 2026-02-01 to ex. 2027-02-01. ([more](https://book.sequoia-pgp.org/configuration.html)) Please think about possible implications and do not forget to revert this, once the project team has switched to another key.

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Sep 23, 2025):

WIP: https://github.com/binwiederhier/ntfy-ansible/pull/5/files

Can be tried out here: https://archive.ntfy.sh/apt/ (test server, will be replaced)

<!-- gh-comment-id:3322054974 --> @binwiederhier commented on GitHub (Sep 23, 2025): WIP: https://github.com/binwiederhier/ntfy-ansible/pull/5/files Can be tried out here: https://archive.ntfy.sh/apt/ (test server, will be replaced)

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Sep 24, 2025):

Done

• https://github.com/binwiederhier/ntfy-ansible/pull/5
• https://archive.ntfy.sh/apt/
• https://docs.ntfy.sh/install/#debianubuntu-repository

<!-- gh-comment-id:3326240539 --> @binwiederhier commented on GitHub (Sep 24, 2025): Done - https://github.com/binwiederhier/ntfy-ansible/pull/5 - https://archive.ntfy.sh/apt/ - https://docs.ntfy.sh/install/#debianubuntu-repository

BreizhHardware commented 2026-05-07 00:29:07 +02:00

Author

Owner

Copy link

@skibbipl commented on GitHub (Sep 24, 2025):

@binwiederhier I would also update the documentation with:

1. Convert debian sources to deb822 format. It is used in trixie.
2. apt-transport-https it's a transitional package and not needed anymore, apt already supports https.

Also everything works as expected.

<!-- gh-comment-id:3326997101 --> @skibbipl commented on GitHub (Sep 24, 2025): @binwiederhier I would also update the documentation with: 1. Convert debian sources to [deb822](https://repolib.readthedocs.io/en/latest/deb822-format.html) format. It is used in trixie. 2. `apt-transport-https` it's a transitional package and not needed anymore, apt already supports https. Also everything works as expected.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#957

No description provided.