LLVM apt repo key issue: SHA1 is not considered secure since 2026-02-01 #36
Description
Scheduled builds are currently failing:
https://github.com/jakoch/cpp-devbox/actions/runs/21790222830/job/62868237150#step:15:2557
Because:
LLVM APT Repo Key Issue
APT is refusing the LLVM apt repository because its OpenPGP signing key uses SHA-1 in a binding (certification) signature.
But since 2026-02-01, Debian’s OpenPGP policy rejects SHA-1 for signatures that require second pre-image resistance.
Well done. Medium rare WTF.
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound: No binding signature at time 2025-12-21T22:28:23Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
1.519 W: OpenPGP signature verification failed: https://apt.llvm.org/trixie llvm-toolchain-trixie-21 InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound: No binding signature at time 2025-12-21T22:28:23Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
1.519 E: The repository 'http://apt.llvm.org/trixie llvm-toolchain-trixie-21 InRelease' is not signed.
Workarounds
apt update -o APT::Key::GPGVCommand=1- altering
/etc/crypto-policies/back-ends/apt-sequoia.configto always allow SHA1?
I’m not going to re-date or tamper with key expiration just to make this work.
Referencing: llvm/llvm-project#153385