Signature Packet v3 is not considered secure

Hey team,

hope you are well!

With Debian 13 Trixie, I do get this error with our proget repo:

Warnung: https://proget.<reponame>/debian/<feedname>/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://proget.zollsoft.de/debian/deb-proxmox/dists/bookworm/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Error: Policy rejected packet type
Caused by:
Signature Packet v3 is not considered secure since 2026-02-01T00:00:00Z

I've read some git and reddit threads about the issue, but marking the repo as trusted and allow_insecure doesn't solve the issue for me really. At https://tracker.debian.org/pkg/apt I might have missed information about it. So checking in with you guys, if you are aware of this.

Many thanks,
Frank

Hey Alana,

thank you very much. Maybe this is some issue with our setup then. I will further check and investigate on our side first. :)

Best,
Frank

Hey Team,

when developing and testing Debian packages, I sometimes do not increase the version of the package for testing as this sometimes unneccessarily makes version increments higher than needed.

Our internal repo is replicated to an external repo from which most machines download their packages.

I stumbled accross the issue, that the package is uploaded by me to the internal repo, but it is not getting replicated to the external one, if I do not increase the version.

Can the replication be extended to check for a different timestamp / hash value, so packages will be replicated even if their version is the same, but the timestamp is newer, the hash value has changed?

Many thanks!
Frank

Hey Alana,

sorry for the late response!

And thank you for the update. You are totally right, this will not happen often, even rare, so I think we can work with this solution. :)

Have a great day,
Frank

Hey Alana,

thank you for the reply.

Our security team is asking to be able to revoke public keys and swap them out as a preventive action or in case of bad things that might happen.

While you are right, that SSL/HTTPS does secure the connection to a server, I haven't heard of signing repos is deprecated.

It ensures (besides the SSL/HTTPS) that the packages downloaded are eligible and verified for installation from the configured repo.

If this is not supported, then that's the way it is, although being able to upload a custom signing key would be a great feature. ;)

Have a great day,
Frank

Dear Support,

we are having our feeds for debian configured and they are running fine, but we are thinking about a possibility to be able to swap the automatically generated key.

In the admin settings we could not find a way to swap the key used for the repo and signing the packages to a custom one.

Does such an option exist?

Is there maybe an API to swap a signing key for a feed / repo, which can be used by CI/CD?

Many thanks!
Frank

Thank you for taking time to sort this out with me!

I greatly appreciate your efforts and will be happy, if this works out well. :)

Hey Alana,

that is a good question, why neither you nor other users ran into this issue.
I'm wondering what might be different with my setup. So I was trying with a fresh / unaltered
Debian 12 VM with the netinst.iso, but have the same issue there.

The Packages-file I refer to is the ""Packages" Indices" from your referenced documentation:
https://wiki.debian.org/DebianRepository/Format#A.22Packages.22_Indices

I've read through this and more of Debians docs, but there is no explicit statement that entries in that file have to be seperated by an additional newline. All I could find is
"Each stanza shall begin with a "Package" field. Clients may also accept files where this is not the case."

It is only a small thing, which I fix by running this command to alter the Packages indices file from ProGet:

sed -i 's/Package:/\nPackage:/g' /var/lib/apt/lists/proget.hostname.domain_debian_tomedo-test_dists_bookworm_main_binary-amd64_Packages

which adds a newline between each Package entry.

If we look at the Packages indices provided by Debian itself, it looks like this for example:

root@myhost# less /var/lib/apt/lists/ftp.de.debian.org_debian_dists_bookworm_main_binary-amd64_Packages

Package: 0ad
Version: 0.0.26-3
Installed-Size: 28591
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Architecture: amd64
Depends: 0ad-data (>= 0.0.26), 0ad-data (<= 0.0.26-3), 0ad-data-common (>= 0.0.26), 0ad-data-common (<= 0.0.26-3), libboost-filesystem1.74.0 (>= 1.74.0), libc6 (>= 2.34), libcurl3-gnutls (>= 7.32.0), libenet7, libfmt9 (>= 9.1.0+ds1), libfreetype6 (>= 2.2.1), libgcc-s1 (>= 3.4), libgloox18 (>= 1.0.24), libicu72 (>= 72.1~rc-1~), libminiupnpc17 (>= 1.9.20140610), libopenal1 (>= 1.14), libpng16-16 (>= 1.6.2-1), libsdl2-2.0-0 (>= 2.0.12), libsodium23 (>= 1.0.14), libstdc++6 (>= 12), libvorbisfile3 (>= 1.1.2), libwxbase3.2-1 (>= 3.2.1+dfsg), libwxgtk-gl3.2-1 (>= 3.2.1+dfsg), libwxgtk3.2-1 (>= 3.2.1+dfsg-2), libx11-6, libxml2 (>= 2.9.0), zlib1g (>= 1:1.2.0)
Pre-Depends: dpkg (>= 1.15.6~)
Description: Real-time strategy game of ancient warfare
Homepage: https://play0ad.com/
Description-md5: d943033bedada21853d2ae54a2578a7b
Tag: game::strategy, interface::graphical, interface::x11, role::program,
 uitoolkit::sdl, uitoolkit::wxwidgets, use::gameplaying,
 x11::application
Section: games
Priority: optional
Filename: pool/main/0/0ad/0ad_0.0.26-3_amd64.deb
Size: 7891488
MD5sum: 4d471183a39a3a11d00cd35bf9f6803d
SHA256: 3a2118df47bf3f04285649f0455c2fc6fe2dc7f0b237073038aa00af41f0d5f2

Package: 0ad-data
Version: 0.0.26-1
Installed-Size: 3218736
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Architecture: all
Pre-Depends: dpkg (>= 1.15.6~)
Suggests: 0ad
Description: Real-time strategy game of ancient warfare (data files)
Homepage: https://play0ad.com/
Description-md5: 26581e685027d5ae84824362a4ba59ee
Tag: role::app-data
Section: games
Priority: optional
Filename: pool/main/0/0ad-data/0ad-data_0.0.26-1_all.deb
Size: 1377557908
MD5sum: fc5ed8a20ce1861950c7ed3a5a615be0
SHA256: 53745ae74d05bccf6783400fa98f3932b21729ab9d2e86151aa2c331c3455178

For the file provided by ProGet the output is this per default:
less /var/lib/apt/lists/proget.hostname.domain_debian_tomedo-test_dists_bookworm_main_binary-amd64_Packages

Package: tomedo-kim
Version: 0.2-1
Section: tomedo
Priority: optional
Architecture: amd64
Maintainer: Zollsoft GmbH <info@zollsoft.de>
Description: Installs KIM systemd service
Filename: pool/bookworm/main/amd64/tomedo-kim/tomedo-kim_0.2-1_amd64.deb
Size: 219494592
MD5sum: 6ef854e2dce4eb1e6dc29e6d6da126b2
SHA1: bffec83a97bd415dad18b9b71a0d5f96ed9633e7
SHA256: 542bede9a9c243da34d2977ede4ee3c8f3aada81343f18d5d405fcc4acf4c8fb
SHA512: 91334edf6770f218aadcc73ea4a0c76fd4fe4ed365b758a572fcf386ffc82eb063b42e7b98837181cfec05142b4c16a042f7f9455190541227f65dff99f25d76
Package: tomedo-nginx
Version: 1.1-1
Section: tomedo
Priority: optional
Architecture: amd64
Pre-Depends: nginx-full, tomedo-certificates, netcat-openbsd
Maintainer: Zollsoft GmbH <info@zollsoft.de>
Description: Installs nginx web server which acts as a proxy for other web services
Filename: pool/bookworm/main/amd64/tomedo-nginx/tomedo-nginx_1.1-1_amd64.deb
Size: 20672
MD5sum: 3c39f4ed47edb8e94509ba4264bcd789
SHA1: 3e25a5d5be57115941ecb53fd26a7dcfe21fd5ce
SHA256: 351b02c1b4e16da5ad4a2f5f476b90d63954551929eb9c1b8e42b5a494746bc6
SHA512: 5d2e356ce7fe5dbe8adb1cf10f3d67bd316ce6cae57f11e87275fe5996aff0a7be3541d1598aaf736ce7e74042a6a4b3d266c161886e548ea6739f289ec856c0

There is no newline / empty line between the two package definitions.
Changing this with the above sed command I alter it to:

Package: tomedo-kim
Version: 0.2-1
Section: tomedo
Priority: optional
Architecture: amd64
Maintainer: Zollsoft GmbH <info@zollsoft.de>
Description: Installs KIM systemd service
Filename: pool/bookworm/main/amd64/tomedo-kim/tomedo-kim_0.2-1_amd64.deb
Size: 219494592
MD5sum: 6ef854e2dce4eb1e6dc29e6d6da126b2
SHA1: bffec83a97bd415dad18b9b71a0d5f96ed9633e7
SHA256: 542bede9a9c243da34d2977ede4ee3c8f3aada81343f18d5d405fcc4acf4c8fb
SHA512: 91334edf6770f218aadcc73ea4a0c76fd4fe4ed365b758a572fcf386ffc82eb063b42e7b98837181cfec05142b4c16a042f7f9455190541227f65dff99f25d76

Package: tomedo-nginx
Version: 1.1-1
Section: tomedo
Priority: optional
Architecture: amd64
Pre-Depends: nginx-full, tomedo-certificates, netcat-openbsd
Maintainer: Zollsoft GmbH <info@zollsoft.de>
Description: Installs nginx web server which acts as a proxy for other web services
Filename: pool/bookworm/main/amd64/tomedo-nginx/tomedo-nginx_1.1-1_amd64.deb
Size: 20672
MD5sum: 3c39f4ed47edb8e94509ba4264bcd789
SHA1: 3e25a5d5be57115941ecb53fd26a7dcfe21fd5ce
SHA256: 351b02c1b4e16da5ad4a2f5f476b90d63954551929eb9c1b8e42b5a494746bc6
SHA512: 5d2e356ce7fe5dbe8adb1cf10f3d67bd316ce6cae57f11e87275fe5996aff0a7be3541d1598aaf736ce7e74042a6a4b3d266c161886e548ea6739f289ec856c0

which then works fine.

For all files provided by Debian there is this additional empty line between packages.
This is another one for example:
less /var/lib/apt/lists/ftp.debian.org_debian_dists_bookworm-backports_contrib_binary-amd64_Packages

Package: diaspora-installer
Version: 0.7.18.2+debian3~bpo12+1
Installed-Size: 111
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Replaces: diaspora
Depends: build-essential, diaspora-common (= 0.7.18.2+debian3~bpo12+1), ghostscript, imagemagick, libcurl4-openssl-dev, libffi-dev, libmagickwand-dev, libpq-dev, libruby3.1, libssl-dev, libxml2-dev, libxslt-dev, rsync, ruby-bundler, ruby-dev, ruby-http-parser, tzdata, wget, zlib1g-dev
Conflicts: diaspora, libruby2.7
Description: distributed social networking service - installer
Homepage: https://wiki.debian.org/Diaspora
Description-md5: 120c7fb469648e6eb3e942926e8b1ea0
Section: contrib/net
Priority: optional
Filename: pool/contrib/d/diaspora-installer/diaspora-installer_0.7.18.2+debian3~bpo12+1_all.deb
Size: 21584
SHA256: f71649c6221b647dca57e7c8e9c045a4544a08103e48714d28465d545a1139c9

Package: diaspora-installer-mysql
Source: diaspora-installer
Version: 0.7.18.2+debian3~bpo12+1
Installed-Size: 12
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Architecture: all
Depends: dbconfig-mysql | dbconfig-no-thanks, default-libmysqlclient-dev, default-mysql-server | virtual-mysql-server, diaspora-installer (= 0.7.18.2+debian3~bpo12+1)
Description: distributed social networking service - installer (with MySQL)
Homepage: https://wiki.debian.org/Diaspora
Description-md5: c18a155ca94ebb0900ab3ea2aa77e4b9
Section: contrib/ruby
Priority: optional
Filename: pool/contrib/d/diaspora-installer/diaspora-installer-mysql_0.7.18.2+debian3~bpo12+1_all.deb
Size: 4852
SHA256: 05e50f43d84a1cbff57c4019d867d6677007d1307f9202f6005a117192f40a70

I will further investigate to find out why this seems to work for you and others but not for me, but I think having that additional seperation between packages is not a bad thing, as it follows the (likely undocumented) format for Packages indices more strictly and prevents issues (maybe only for me 8).

Many thanks,
Frank

Hey Alana,

thank you, but I would take aptly out of the bill here, as I just use it to build the deb-packages.
Those are then uploaded to the ProGet-Debian-Feed per curl.

The Packages-files is provided by ProGet not aptly? As soon as the deb-Packages are build, aptly's job is done. The rest is handled by ProGet. It builds the InRelease and Packages file, which apt then downloads per apt update from the ProGet-Endpoint, that is configured on the client system per "Integrate with apt" instructions:

wget -O "testfeed.gpg" https://proget.<hostname>/debian/tomedo-test/keys/testfeed.asc && sudo apt-key add "testfeed.gpg"

echo "deb https://proget.<hostname>/debian/tomedo-test/ bookworm main" | sudo tee "/etc/apt/sources.list.d/proget-tomedo-test.list"

I don't think aptly interferes with anything here? My aptly is a different machine hosting the deb-packages source and only used for that purpose. There is besides the curl upload to the feed no connection between proget and aptly.

Many thanks,
Frank

Hey everyone,

we are using Version 2023.32 (Build 3) of ProGet with the new Debian feeds and I came across an issue with apt-cache not being able to find all packages I uploaded to the feed.

There are a total of 31 packages in the feed, but when looking for them with apt-cache search <string> only two showed up in the output.

So I investigated where and why and after looking into the
proget.<hostname>_debian_debian-test_dists_bookworm_main_binary-amd64_Packages
file and compared that with the one I for example got from my aptly repo, I saw that there are no spaces / newlines between packages. I manually edited the file, created a newline between each package and now apt-cache finds the packages.

Is this some bug? All other Packages-files in the /var/lib/apt/lists folder do have that convention to seperate package information with an additional newline.

Many thanks,
Frank