Debian repository signing key uses SHA1, will be rejected by apt policy in February 2026

[Alvin-Zilverstand]

Description

The NodeSource APT repository for Debian is using a GPG signing key with SHA1 hashing, which is being flagged by apt's security policy and will be rejected starting February 1, 2026.

Environment

• Distribution: Debian Trixie (testing)
• Repository: https://deb.nodesource.com/node_20.x
• Node.js version: 20.19.6-1nodesource1
• Date: December 24, 2025

Current Behavior

When running apt update --audit, the following warning and audit messages appear:

Warning: https://deb.nodesource.com/node_20.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.nodesource.com/node_20.x/dists/nodistro/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 6F71F525282841EEDAF851B42F59B5F99B1BE0B4 is not bound:
              No binding signature at time 2025-12-04T19:30:50Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Expected Behavior

The repository signing key should use a modern hashing algorithm (SHA256 or stronger) that complies with current APT security policies.

Impact

• Current: Repository still functions but generates security warnings
• After February 1, 2026: APT will reject the repository signature, preventing package installations and updates

Affected Key

• Key ID: 6F71F525282841EEDAF851B42F59B5F99B1BE0B4
• Issue: Uses SHA1 for binding signatures

Suggested Solution

Please update the repository signing key to use SHA256 or SHA512 hashing algorithms to ensure compatibility with modern APT security policies.

Additional Context

This affects all users on Debian systems (and potentially Ubuntu) using the NodeSource repositories. The deadline is approaching in approximately two months.

Workaround

Users can temporarily ignore the warning or switch to alternative Node.js installation methods (nvm, official Debian packages, etc.), but an official fix would be preferred to maintain the repository's reliability.

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

---

🔗 Similar Issues

Related Issues

• GPG key for deb.nodesource.com is expiring soon #1882
• [ERROR] Node.js 20 on Debian Bookworm returns 404 #1904
• [ERROR] Node.js 20.x on Ubuntu22.04 Installation fail #1887

👤 Suggested Assignees

• sar-kaar
• mpldr
• npwolf

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!