OpenPGP signature verification failed with Debian Trixie.

I fully agree with the previous posters. While it is technically possible to relax the cryptographic policies of our platforms to keep using the Dropbox repository with its deprecated SHA-1 signature, Debian and other modern distributions are flagging said signatures as insecure for good reasons. This is quickly becoming a blocking problem for those who want to keep Dropbox integrated without compromising our system security.

Having said that, we appreciate that this issue has been escalated internally, and we'd be very grateful if it could be prioritized so the repository is re-signed with a stronger algorithm, ensuring continued compatibility and security across all supported platforms.

Thanks in advance.

I am having the same issue, and I find the use of the SHA1 signatures very concerning in terms of trusting the security commitments of Dropbox. As a loyal customer who has been paying for Dropbox for twenty years or so, I hope this issue is given priority as a security concern.

I understand where you're coming from, daves415 and you as well slimy_asparagus. I did pass your feedback along to our team, so your comments are very appreciated.

Let us know if you need anything else.

I am having the same issues. I would rather stop using the dropbox app than stop using Debian.

"I'm afraid that if the minimum system requirements are not met, issues like this are kind of expected."

That is a disjoint reply. Are you saying that accepting obsolete SHA1 signatures is a "minimum system requirement"?

Thanks for your update here, steinarb.

I'm afraid that if the minimum system requirements are not met, issues like this are kind of expected.

I did, however, pass your comments and feedback along to our team about this.

Let us know if you have any other questions.

I don't have neither Ubuntu, nor Fedora (as listed in the requirements) and no intentions of switching to either.

I do have debian, on which Ubuntu is based, and I do have a much newer debian than what Ubuntu 18 is based on (debian 13 "trixie", the current debian stable, which was released on August 9 2025).

The Dropbox debian package for Ubuntu has worked well for me on debian stable, since at least 2016, and still works.

But I am currently getting daily nags from debian APT because the APT archive of the debian package is signed which SHA1, which is not considered secure anymore, and because of this debian APT (and possibly later Ubuntu APT as well...?) will start rejecting the archive in less than one year.

So what you should do(and that you should do in any case...) is to upgrade the key used for signing your APT archive.

I.e. no changes to the code, just a change to the archive (including resigning of the packages, I guess...?).

Hey steinarb, as a first, can you make sure that your device is following all the supported requirements mentioned here? Feel free to also check out this Help Center article.

We'll go from there.

I get this message once a day after upgrading to debian 13 "trixie" on August 12 2025.

W: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for details

The relevant output from "apt update --policy", is:

Warning: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Policy will reject signature within a year, see --audit for details
Audit: http://linux.dropbox.com/debian/dists/sid/Release.gpg: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound:
              No binding signature at time 2020-03-04T23:26:35Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Looks like you're signing with SHA1 and that will be forbidden by debian APT policy in a year from now.

Hey maurom, thank you so much for the heads up! 

Your info here will be valuable, and helpful for other users facing the same thing, and hopefully will also resolve Verwijs issue too.

In any case, I'll be one post away!