Debian 13 GPG key is not bound, no binding signature at time + SHA1

Plex Media Server
1

I’m started to migrate to Debian Trixie and I’m facing about issue about the signature key with this error message:


Warning: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on CD665CBA0E2F88B7373F7CB997203C7B3ADCA79D is not bound:
              No binding signature at time 2025-04-10T15:38:19Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

The key is already updated to latest from https://downloads.plex.tv/plex-keys/PlexSign.key I didn’t see any new key.

So I know trixie is still in hard freeze but we must to update the key with a new version to support the upcoming debian and apt version

Regards,

1 Like
2

Debian 13 is now officially released and the key hasn’t been updated yet. Are there any plans to create a new key?

Help article here is also outdated https://support.plex.tv/articles/235974187-enable-repository-updating-for-supported-linux-server-distributions/

$ cat /etc/apt/sources.list.d/plex.sources
Types: deb
URIs: https://downloads.plex.tv/repo/deb/
Suites: public
Components: main
Signed-By: /usr/share/keyrings/plexmediaserver.gpg
Architectures: amd64

$ wget -q https://downloads.plex.tv/plex-keys/PlexSign.key -O - | sudo gpg --dearmor -o /usr/share/keyrings/plexmediaserver.gpg
2 Likes
3

My Debian VM running Plex has been upgraded to Trixie. Will a new key be available soon?

4

I add my voice to all yours :slight_smile:

I’ve got the warning message too.

Will there be an update of that key in a near future?

5

Just upgraded to trixie and I get the message as well.

Hope we get a new key with 11 months 29 days. :rofl:

6

Nope.

The deadline for SHA-1 is February 1, 2026, as per debian policy:

Warning: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://downloads.plex.tv/repo/deb/dists/public/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on CD665CBA0E2F88B7373F7CB997203C7B3ADCA79D is not bound:
              No binding signature at time 2025-08-11T17:06:54Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
7

1 Like
8

Apparently Plex team is working on a solution