Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
OpenPGP signature verification failed with Debian Trixie.
Warning: OpenPGP signature verification failed: http://linux.dropbox.com/debian trixie Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux@dropbox.com>
Error: The package repository 'http://linux.dropbox.com/debian trixie Release' is not signed.
please add new key to: https://linux.dropboxstatic.com/debian/dists/trixie/
22 Replies
Hi Verwijs and Megan. I got the same error on a Debian Bookworm system when running `apt update`:
W: GPG error: http://linux.dropbox.com/debian bookworm Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux@dropbox.com> E: The repository 'http://linux.dropbox.com/debian bookworm Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.Strangely enough, downloading and verifying the signature works fine (the downloaded public key is the same I had in my system keyring):
$ echo "Fetch latest release and signature" $ wget -nv https://linux.dropboxstatic.com/debian/dists/bookworm/Release{,.gpg} 2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release [6606/6606] -> "Release" [1] 2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release.gpg [488/488] -> "Release.gpg" [1] FINISHED --2025-06-04 09:58:45-- Total wall clock time: 1.0s Downloaded: 2 files, 6.9K in 0s (51.8 MB/s) $ echo "Fetch Dropbox repository public key" $ wget -nv https://linux.dropbox.com/fedora/rpm-public-key.asc 2025-06-04 10:56:47 URL:https://linux.dropbox.com/fedora/rpm-public-key.asc [975/975] -> "rpm-public-key.asc" [1] $ echo "Import the public key into a temporary keyring" $ gpg --no-default-keyring --keyring dropbox-temp.kbx --trust-model always --import rpm-public-key.asc gpg: key FC918B335044912E: public key "Dropbox Automatic Signing Key <linux@dropbox.com>" imported gpg: Total number processed: 1 gpg: imported: 1 $ echo "Verify the release file signature" $ gpg --no-default-keyring --keyring dropbox-temp.kbx --verify Release.gpg Release gpg: Signature made Fri 30 May 2025 04:08:45 PM -03 gpg: using RSA key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E gpg: Good signature from "Dropbox Automatic Signing Key <linux@dropbox.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1C61 A265 6FB5 7B7E 4DE0 F4C1 FC91 8B33 5044 912EIn my case, it seems the locally cached metadata for the Dropbox repo was stale, so I removed the files listed by this command.
$ find /var/lib/apt/lists -iname "linux.dropbox.com*" /var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_Release.gpg /var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_main_binary-amd64_Packages /var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_ReleaseThis forced apt to re-download the Release, Release.gpg and the Packages file.
Afterward, `apt update` runs properly and without errors.I get this message once a day after upgrading to debian 13 "trixie" on August 12 2025.
W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for detailsThe relevant output from "apt update --policy", is:
Warning: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for details Audit: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound: No binding signature at time 2020-03-04T23:26:35Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00ZLooks like you're signing with SHA1 and that will be forbidden by debian APT policy in a year from now.
- Nancy
Dropbox Community Moderator
Hey steinarb, as a first, can you make sure that your device is following all the supported requirements mentioned here? Feel free to also check out this Help Center article.
We'll go from there.
I don't have neither Ubuntu, nor Fedora (as listed in the requirements) and no intentions of switching to either.
I do have debian, on which Ubuntu is based, and I do have a much newer debian than what Ubuntu 18 is based on (debian 13 "trixie", the current debian stable, which was released on August 9 2025).
The Dropbox debian package for Ubuntu has worked well for me on debian stable, since at least 2016, and still works.
But I am currently getting daily nags from debian APT because the APT archive of the debian package is signed which SHA1, which is not considered secure anymore, and because of this debian APT (and possibly later Ubuntu APT as well...?) will start rejecting the archive in less than one year.
So what you should do(and that you should do in any case...) is to upgrade the key used for signing your APT archive.
I.e. no changes to the code, just a change to the archive (including resigning of the packages, I guess...?)."I'm afraid that if the minimum system requirements are not met, issues like this are kind of expected."
That is a disjoint reply. Are you saying that accepting obsolete SHA1 signatures is a "minimum system requirement"?
I am having the same issues. I would rather stop using the dropbox app than stop using Debian.
- Hannah
I understand where you're coming from, daves415 and you as well slimy_asparagus. I did pass your feedback along to our team, so your comments are very appreciated.
Let us know if you need anything else.
