Debian 13 repo issue

[wooque]

Describe your bug
In the upcoming Debian 13, running apt update will show warning about nodesource repo:

Warning: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details

Running apt update --audit with more details:

Audit: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 6F71F525282841EEDAF851B42F59B5F99B1BE0B4 is not bound:
              No binding signature at time 2025-05-21T16:29:47Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Distribution Information:

• OS: Debian
• Version 13
• Other info if applicable [e.g. Docker image XXX, AWS AMI ID]

Node Version:

• Node: 22

To Reproduce
Steps to reproduce the behavior:
Dockerfile:

FROM debian:trixie-slim

RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh
RUN bash nodesource_setup.sh
RUN apt update && sleep 100

Expected behavior
No warning messages

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here, specify if already has another NodeJS version or if trying to re-install the current version.

[tpalejo]

The scenario was reproduced in a Docker environment running Debian 13:

root@e0fe30789c53:/# apt update --audit
Hit:1 http://deb.debian.org/debian trixie InRelease
Hit:2 http://deb.debian.org/debian trixie-updates InRelease
Hit:3 https://deb.nodesource.com/node_22.x nodistro InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
15 packages can be upgraded. Run 'apt list --upgradable' to see them.
Warning: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 6F71F525282841EEDAF851B42F59B5F99B1BE0B4 is not bound:
No binding signature at time 2025-05-21T16:29:47Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: The sources.list(5) entry for 'https://deb.nodesource.com/node_22.x' should be upgraded to deb822 .sources

Identified Issues
During the simulation, the following issues were identified:

The GPG key used by NodeSource does not have a binding signature, which is now required by Sequoia-PGP, the new cryptographic validator used by APT in Debian 13.

The PGP signature is made using SHA1, which:

Is no longer considered secure for cryptographic use

Will be officially marked as insecure by Debian starting February 1, 2026

Triggers advance warnings (such as this one in 2025) to help avoid future issues

The .InRelease file from the NodeSource repository does not comply with modern security policy standards.

Root Causes
Missing binding signature on the signing key

Use of the outdated SHA1 algorithm

Lack of support for the deb822 format

Recommended Solution for Debian 13 Compatibility
To comply with Debian 13’s modern security standards, the repository should:

Use modern signing keys (e.g., ed25519, rsa4096)

Generate signatures using SHA256 or stronger, and include binding signatures

Provide repository metadata in the deb822 format

[MahdiAkrami01]

+1

[chn42]

Release date has been published for 2025-08-09

[awirooks]

Is it possible to get the new public key before the repo signature is changed?
We did this with our internal debian repository. We first populated a keyfile with both keys in our internal docker images, on our servers, etc. When we changed the key in the repo nothing happended because both were accepted. And later we removed the old keys in images and on servers.

[rroesch1]

fyi: i guess you can create a new public key file based on the existing key with new key signature (not based on SHA-1). This way existing setups do not have to import the new key file. Only new installations based on Trixie need the public key.

@neverpanic described this procedure in a blog article

[neverpanic]

gpg --cert-digest-algo SHA256 --quick-set-expire "$keyid" 0

will also do the trick without editing the key interactively. Patches have been added to some users of sequoia to no longer require the backdating of the self-signature, but I'm not sure whether Debian has them, so it's probably safest to just use the fake time, too.

See microsoft/linux-package-repositories#47 (comment).

Alternatively, Microsoft found it easier to re-create a PGP public key from the existing private key in an HSM, which will give you the same OpenPGP key ID (and therefore preserve the validity of existing signatures) if you make sure to re-use the key creation date of the old key.

[kevdogg]

Or should nodesource just release a new gpg key with update hash?

[anyone2k15]

Will there be an update about this issue? Looks like just a problem easy to solve.

[telemaxx]

+=1

[pro-sumer]

On October 2 (2025) the Raspberry Pi team released the Trixie (Debian 13) version of Raspberry Pi OS, so now there's a whole new group of people that run into this issue.

https://www.raspberrypi.com/news/trixie-the-new-version-of-raspberry-pi-os