The Gluster apt repository is broken for Debian 13/Trixie due to the use of an SHA1 signature.
$ cat /etc/apt/sources.list.d/gluster.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/gluster.asc] https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie main
$ sudo apt update
Hit:1 http://security.debian.org/debian-security trixie-security InRelease
Hit:2 http://ftp.us.debian.org/debian trixie InRelease
Hit:3 http://ftp.us.debian.org/debian trixie-updates InRelease
Get:4 https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease [2,101 B]
Err:4 https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F9C958A3AEE0D2184FAD1CBD43607F0DC2F8238C is not bound: No binding signature at time 2023-11-08T14:04:10Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F9C958A3AEE0D2184FAD1CBD43607F0DC2F8238C is not bound: No binding signature at time 2023-11-08T14:04:10Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'https://download.gluster.org/pub/gluster/glusterfs/LATEST/Debian/trixie/amd64/apt trixie InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
See related issue gluster/glusterfs#4607
As a temporary workaround, sysadmins can extend the date at which SHA1 signatures will be considered invalid by creating an override file at /etc/crypto-policies/back-ends/apt-sequoia.config and assigning sha1.second_preimage_resistance in [hash_algorithms] a future date, example:
[asymmetric_algorithms]
dsa2048 = 2024-02-01
dsa3072 = 2024-02-01
dsa4096 = 2024-02-01
brainpoolp256 = 2028-02-01
brainpoolp384 = 2028-02-01
brainpoolp512 = 2028-02-01
rsa2048 = 2030-02-01
[hash_algorithms]
sha1.second_preimage_resistance = 2027-02-01
sha224 = 2026-02-01
[packets]
signature.v3 = 2026-02-01
or by editing /usr/share/apt/default-sequoia.config directly.
The Gluster apt repository is broken for Debian 13/Trixie due to the use of an SHA1 signature.
See related issue gluster/glusterfs#4607
As a temporary workaround, sysadmins can extend the date at which SHA1 signatures will be considered invalid by creating an override file at
/etc/crypto-policies/back-ends/apt-sequoia.configand assigningsha1.second_preimage_resistancein[hash_algorithms]a future date, example:or by editing
/usr/share/apt/default-sequoia.configdirectly.