We're making some changes to the Dropbox Community 👩‍💻 - Find out more here.

Forum Discussion

prahal's avatar
prahal
New member | Level 2
1 month ago
Solved

Dropbox apt infrastructure relying on unsecure SHA1

When one update its software list with apt on Debian Trixie at least, he gets this error: Err:13 http://linux.dropbox.com/debian sid InRelease Sub-process /usr/bin/sqv returned an error code (1), ...
desktop
Install
Linux
  • Neal's avatar
    Neal
    20 days ago

    Hi prahal​!

    Thanks for sharing this with the Community.

    I've spoken to our team internally and they advised that you need to download and reinstall the latest .deb from our website.

    This has affected a few users but this should fix the issue!

eRQee's avatar
eRQee
New member | Level 2
1 month ago

recently I found a workaround : just "borrow" the new keyring from dropbox fedora.

curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/null

Then update your source list (typically at /etc/apt/sources.list.d/dropbox.list) to use those keyring.

Types: deb
URIs: http://linux.dropbox.com/debian/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/dropbox.asc

Now you'll be able to update the Dropbox into the recent version.

Pariah_Zero's avatar
Pariah_Zero
New member | Level 2
29 days ago

curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/null

It's worth noting: Many guides mention using `gpg --dearmor <key>` on `dropbox.asc`.

This then creates `dropbox.gpg`, and it doesn't work, because the SHA2 signature is apparently removed.

(You can check this by using `gpg --list-packets dropbox.asc`

which will show:

# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
        version 4, algo 1, created 1265928625, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: FC918B335044912E
# off=272 ctb=b4 tag=13 hlen=2 plen=49
:user ID packet: "Dropbox Automatic Signing Key <linux@dropbox.com>"
# off=323 ctb=89 tag=2 hlen=3 plen=310
:signature packet: algo 1, keyid FC918B335044912E
        version 4, created 1265928625, md5len 0, sigclass 0x13
        digest algo 2, begin of digest 2f f3
        hashed subpkt 2 len 4 (sig created 2010-02-11)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID FC918B335044912E)
        data: [2044 bits]
# off=636 ctb=89 tag=2 hlen=3 plen=401
:signature packet: algo 1, keyid FC918B335044912E
        version 4, created 1766521393, md5len 0, sigclass 0x13
        digest algo 8, begin of digest c2 de
        critical hashed subpkt 2 len 4 (sig created 2025-12-23)
        hashed subpkt 11 len 3 (pref-sym-algos: 9 8 7)
        hashed subpkt 16 len 8 (issuer key ID FC918B335044912E)
        hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable])
        hashed subpkt 21 len 1 (pref-hash-algos: 8)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 33 len 21 (issuer fpr v4 1C61A2656FB57B7E4DE0F4C1FC918B335044912E)
        data: [2047 bits]

On line 12, you'll note `digest algo 2` - which translates to SHA1. (I assume `digest algo 1 is md5, but 🤷‍♂️)

Line 25 has `digest algo 8` indicates SHA256, and `digest algo 10` indicates SHA512.

If you do the `gpg --dearmor` step, the second signature packet is removed (at least with the default options).

About Apps and Installations

Have a question about a Dropbox app or installation? Reach out to the Dropbox Community and get solutions, help, and advice from members.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!