We're making some changes to the Dropbox Community 👩💻 - Find out more here.
Forum Discussion
Solved
Dropbox apt infrastructure relying on unsecure SHA1
When one update its software list with apt on Debian Trixie at least, he gets this error:
Err:13 http://linux.dropbox.com/debian sid InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound: No binding signature at time 2026-01-16T19:39:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
(...)
Warning: OpenPGP signature verification failed: http://linux.dropbox.com/debian sid InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound: No binding signature at time 2026-01-16T19:39:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'http://linux.dropbox.com/debian sid InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.
This issue was already reported in an unrelated apt issue thread (now closed for replies) in
https://www.dropboxforum.com/discussions/101001016/openpgp-signature-verification-failed-with-debian-trixie-/835761/replies/842767
by steinarb
Looks like you're signing with SHA1 and that will be forbidden by debian APT policy in a year from now.
at which it was replied that Debian Trixie is not officially supported...
But the support tells
- Ubuntu 64 bits : 18.04 ou version ultérieure
please see the process to switch to SHA256 in (there might be better options since because this process is from 2016):
https://github.com/mxe/mxe-apt/issues/2
and this page tells that the support for SHA1 was removed in Ubuntu in release 16.04
and
https://wiki.debian.org/Teams/Apt/Sha1Removal
tells that dropbox switched to SHA256 long ago.
I believe that recently one of your admin switched back your apt repository signing to SHA1 which is broken on Debian Trixie but also on all Ubuntu above 16.04 so this bug lies in your "offical support".
Cheers
7 Replies
Neal your fix worked. Indeed from https://www.dropbox.com/fr/install-linux I reinstalled the Ubuntu 22.10 and newer deb (24th of March 2026) on Debian Forky and this issue about obsolete SHA1 apt repo is fixed.
(the current deb is
https://www.dropbox.com/download?dl=packages/ubuntu/dropbox_2026.01.15_amd64.deb)
The workaround worked for me as well on debian 13.3 "trixie", amd64.
Here is what I did
Found that /etc/apt/sources.list.d/dropbox.list had signed-by=/etc/apt/keyrings/dropbox.asc
deb [arch=i386,amd64 signed-by=/etc/apt/keyrings/dropbox.asc] http://linux.dropbox.com/debian trixie mainMoved away existing /etc/apt/keyrings/dropbox.asc
mv /etc/apt/keyrings/dropbox.asc /etc/apt/keyrings/dropbox.asc.backupDownloaded the fedora signing key and put it in the place of the old dropbox.asc
curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc >/etc/apt/keyrings/dropbox.ascTried "apt update" which now ran without error messages
root@marquez:~# apt update Hit:1 http://deb.debian.org/debian stable-backports InRelease Hit:2 http://security.debian.org/debian-security stable-security InRelease Ign:3 https://repo.vivaldi.com/stable/deb stable InRelease Hit:4 https://repo.vivaldi.com/stable/deb stable Release Hit:6 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/bullseye pgadmin4 InRelease Hit:7 http://ftp.no.debian.org/debian stable InRelease Hit:8 http://ftp.no.debian.org/debian stable-updates InRelease Hit:9 https://dbeaver.io/debs/dbeaver-ce InRelease Hit:10 http://linux.dropbox.com/debian trixie InRelease All packages are up to date. root@marquez:~#curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/null
It's worth noting: Many guides mention using `gpg --dearmor <key>` on `dropbox.asc`.
This then creates `dropbox.gpg`, and it doesn't work, because the SHA2 signature is apparently removed.
(You can check this by using `gpg --list-packets dropbox.asc`
which will show:# off=0 ctb=99 tag=6 hlen=3 plen=269 :public key packet: version 4, algo 1, created 1265928625, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: FC918B335044912E # off=272 ctb=b4 tag=13 hlen=2 plen=49 :user ID packet: "Dropbox Automatic Signing Key <linux@dropbox.com>" # off=323 ctb=89 tag=2 hlen=3 plen=310 :signature packet: algo 1, keyid FC918B335044912E version 4, created 1265928625, md5len 0, sigclass 0x13 digest algo 2, begin of digest 2f f3 hashed subpkt 2 len 4 (sig created 2010-02-11) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID FC918B335044912E) data: [2044 bits] # off=636 ctb=89 tag=2 hlen=3 plen=401 :signature packet: algo 1, keyid FC918B335044912E version 4, created 1766521393, md5len 0, sigclass 0x13 digest algo 8, begin of digest c2 de critical hashed subpkt 2 len 4 (sig created 2025-12-23) hashed subpkt 11 len 3 (pref-sym-algos: 9 8 7) hashed subpkt 16 len 8 (issuer key ID FC918B335044912E) hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable]) hashed subpkt 21 len 1 (pref-hash-algos: 8) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 23 len 1 (keyserver preferences: 80) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 30 len 1 (features: 01) hashed subpkt 33 len 21 (issuer fpr v4 1C61A2656FB57B7E4DE0F4C1FC918B335044912E) data: [2047 bits]On line 12, you'll note `digest algo 2` - which translates to SHA1. (I assume `digest algo 1 is md5, but 🤷♂️)
Line 25 has `digest algo 8` indicates SHA256, and `digest algo 10` indicates SHA512.
If you do the `gpg --dearmor` step, the second signature packet is removed (at least with the default options).- Dell_Dropbox
Community Manager
Thanks for bringing this issue to our attention, I've forwarded this issue to the team to take a look. I don't have any information on next steps or timeline at this moment but will update the thread when I hear back.
recently I found a workaround : just "borrow" the new keyring from dropbox fedora.
curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/nullThen update your source list (typically at /etc/apt/sources.list.d/dropbox.list) to use those keyring.
Types: deb URIs: http://linux.dropbox.com/debian/ Suites: trixie Components: main Signed-By: /usr/share/keyrings/dropbox.ascNow you'll be able to update the Dropbox into the recent version.
