Your workflow is unique 👨‍💻 -  tell us how you use Dropbox here.

Forum Discussion

Verwijs's avatar
Verwijs
Helpful | Level 7
9 months ago

OpenPGP signature verification failed with Debian Trixie.

 

Warning: OpenPGP signature verification failed: http://linux.dropbox.com/debian trixie Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux@dropbox.com>

Error: The package repository 'http://linux.dropbox.com/debian trixie Release' is not signed.

please add new key to:  https://linux.dropboxstatic.com/debian/dists/trixie/

 

 

desktop
Install
Linux

24 Replies

Replies have been turned off for this discussion
Show More
  • steinarb's avatar
    steinarb
    Helpful | Level 5
    6 months ago

    I get this message once a day after upgrading to debian 13 "trixie" on August 12 2025.

    W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for details

    The relevant output from "apt update --policy", is:

    Warning: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for details
Audit: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound:
              No binding signature at time 2020-03-04T23:26:35Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

    Looks like you're signing with SHA1 and that will be forbidden by debian APT policy in a year from now.

  • Megan's avatar
    Megan
    Icon for Dropbox Community Moderator rankDropbox Community Moderator
    9 months ago

    Hey maurom, thank you so much for the heads up! 

    Your info here will be valuable, and helpful for other users facing the same thing, and hopefully will also resolve Verwijs issue too.

    In any case, I'll be one post away! 

  • maurom's avatar
    maurom
    Helpful | Level 5
    9 months ago

    Hi Verwijs and Megan. I got the same error on a Debian Bookworm system when running `apt update`:

    W: GPG error: http://linux.dropbox.com/debian bookworm Release: The following signatures were invalid: BADSIG FC918B335044912E Dropbox Automatic Signing Key <linux@dropbox.com>
E: The repository 'http://linux.dropbox.com/debian bookworm Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

    Strangely enough, downloading and verifying the signature works fine (the downloaded public key is the same I had in my system keyring):

    $ echo "Fetch latest release and signature"
$ wget -nv https://linux.dropboxstatic.com/debian/dists/bookworm/Release{,.gpg}
2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release [6606/6606] -> "Release" [1]
2025-06-04 09:58:45 URL:https://linux.dropboxstatic.com/debian/dists/bookworm/Release.gpg [488/488] -> "Release.gpg" [1]
FINISHED --2025-06-04 09:58:45--
Total wall clock time: 1.0s
Downloaded: 2 files, 6.9K in 0s (51.8 MB/s)

$ echo "Fetch Dropbox repository public key"
$ wget -nv https://linux.dropbox.com/fedora/rpm-public-key.asc
2025-06-04 10:56:47 URL:https://linux.dropbox.com/fedora/rpm-public-key.asc [975/975] -> "rpm-public-key.asc" [1]

$ echo "Import the public key into a temporary keyring"
$ gpg --no-default-keyring --keyring dropbox-temp.kbx --trust-model always --import rpm-public-key.asc
gpg: key FC918B335044912E: public key "Dropbox Automatic Signing Key <linux@dropbox.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ echo "Verify the release file signature"
$ gpg --no-default-keyring --keyring dropbox-temp.kbx --verify Release.gpg Release
gpg: Signature made Fri 30 May 2025 04:08:45 PM -03
gpg:                using RSA key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E
gpg: Good signature from "Dropbox Automatic Signing Key <linux@dropbox.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1C61 A265 6FB5 7B7E 4DE0  F4C1 FC91 8B33 5044 912E

    In my case, it seems the locally cached metadata for the Dropbox repo was stale, so I removed the files listed by this command.

    $ find /var/lib/apt/lists -iname "linux.dropbox.com*"
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_Release.gpg
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_main_binary-amd64_Packages
/var/lib/apt/lists/linux.dropbox.com_debian_dists_bookworm_Release

    This forced apt to re-download the Release, Release.gpg and the Packages file.
    Afterward, `apt update` runs properly and without errors.

     

  • Megan's avatar
    Megan
    Icon for Dropbox Community Moderator rankDropbox Community Moderator
    9 months ago

    Hey Verwijs​, let's jump right into this! 

    Just wanted to check with you, and ask if you're still getting the same message. 

    Also, what steps do you follow on your end before seeing it? 

    Keep me posted, and we'll take it from there!

About Apps and Installations

Have a question about a Dropbox app or installation? Reach out to the Dropbox Community and get solutions, help, and advice from members.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!