Child Item

Dropbox apt infrastructure relying on unsecure SHA1

When one update its software list with apt on Debian Trixie at least, he gets this error:

Err:13 http://linux.dropbox.com/debian sid InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound: No binding signature at time 2026-01-16T19:39:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
(...)
Warning: OpenPGP signature verification failed: http://linux.dropbox.com/debian sid InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1C61A2656FB57B7E4DE0F4C1FC918B335044912E is not bound: No binding signature at time 2026-01-16T19:39:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'http://linux.dropbox.com/debian sid InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
Notice: Some sources can be modernized. Run 'apt modernize-sources' to do so.

This issue was already reported in an unrelated apt issue thread (now closed for replies) in

https://www.dropboxforum.com/discussions/101001016/openpgp-signature-verification-failed-with-debian-trixie-/835761/replies/842767

by @steinarb

Looks like you're signing with SHA1 and that will be forbidden by debian APT policy in a year from now.

at which it was replied that Debian Trixie is not officially supported...

But the support tells

Ubuntu 64 bits : 18.04 ou version ultérieure

please see the process to switch to SHA256 in (there might be better options since because this process is from 2016):

https://github.com/mxe/mxe-apt/issues/2

and this page tells that the support for SHA1 was removed in Ubuntu in release 16.04

and

https://wiki.debian.org/Teams/Apt/Sha1Removal

tells that dropbox switched to SHA256 long ago.

I believe that recently one of your admin switched back your apt repository signing to SHA1 which is broken on Debian Trixie but also on all Ubuntu above 16.04 so this bug lies in your "offical support".

Cheers

Find more posts tagged with

Desktop

Install

Linux

Insightful

Comments

Hannah

Hey @prahal, thanks for bringing this to our attention.

I've gone ahead and reached out to our team about it, and I'll get back to you with more info, when I have it.

Thanks in advance for your patience!

eRQee

recently I found a workaround : just "borrow" the new keyring from dropbox fedora.

curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/null

Then update your source list (typically at /etc/apt/sources.list.d/dropbox.list) to use those keyring.

Types: deb
URIs: http://linux.dropbox.com/debian/
Suites: trixie
Components: main
Signed-By: /usr/share/keyrings/dropbox.asc

Now you'll be able to update the Dropbox into the recent version.

Dell_Dropbox

Thanks for bringing this issue to our attention, I've forwarded this issue to the team to take a look. I don't have any information on next steps or timeline at this moment but will update the thread when I hear back.

Pariah_Zero

curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc | sudo tee /usr/share/keyrings/dropbox.asc > /dev/null

It's worth noting: Many guides mention using `gpg --dearmor <key>` on `dropbox.asc`.

This then creates `dropbox.gpg`, and it doesn't work, because the SHA2 signature is apparently removed.

(You can check this by using `gpg --list-packets dropbox.asc`

which will show:

# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
        version 4, algo 1, created 1265928625, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: FC918B335044912E
# off=272 ctb=b4 tag=13 hlen=2 plen=49
:user ID packet: "Dropbox Automatic Signing Key <linux@dropbox.com>"
# off=323 ctb=89 tag=2 hlen=3 plen=310
:signature packet: algo 1, keyid FC918B335044912E
        version 4, created 1265928625, md5len 0, sigclass 0x13
        digest algo 2, begin of digest 2f f3
        hashed subpkt 2 len 4 (sig created 2010-02-11)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
        hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        subpkt 16 len 8 (issuer key ID FC918B335044912E)
        data: [2044 bits]
# off=636 ctb=89 tag=2 hlen=3 plen=401
:signature packet: algo 1, keyid FC918B335044912E
        version 4, created 1766521393, md5len 0, sigclass 0x13
        digest algo 8, begin of digest c2 de
        critical hashed subpkt 2 len 4 (sig created 2025-12-23)
        hashed subpkt 11 len 3 (pref-sym-algos: 9 8 7)
        hashed subpkt 16 len 8 (issuer key ID FC918B335044912E)
        hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable])
        hashed subpkt 21 len 1 (pref-hash-algos: 8)
        hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
        hashed subpkt 23 len 1 (keyserver preferences: 80)
        hashed subpkt 27 len 1 (key flags: 03)
        hashed subpkt 30 len 1 (features: 01)
        hashed subpkt 33 len 21 (issuer fpr v4 1C61A2656FB57B7E4DE0F4C1FC918B335044912E)
        data: [2047 bits]

On line 12, you'll note `digest algo 2` - which translates to SHA1. (I assume `digest algo 1 is md5, but 🤷‍♂️)

Line 25 has `digest algo 8` indicates SHA256, and `digest algo 10` indicates SHA512.

If you do the `gpg --dearmor` step, the second signature packet is removed (at least with the default options).

steinarb

The workaround worked for me as well on debian 13.3 "trixie", amd64.

Here is what I did

Found that /etc/apt/sources.list.d/dropbox.list had signed-by=/etc/apt/keyrings/dropbox.asc

deb [arch=i386,amd64 signed-by=/etc/apt/keyrings/dropbox.asc] http://linux.dropbox.com/debian trixie main

Moved away existing /etc/apt/keyrings/dropbox.asc

mv /etc/apt/keyrings/dropbox.asc /etc/apt/keyrings/dropbox.asc.backup

Downloaded the fedora signing key and put it in the place of the old dropbox.asc

curl -s https://linux.dropbox.com/fedora/rpm-public-key.asc  >/etc/apt/keyrings/dropbox.asc

Tried "apt update" which now ran without error messages

root@marquez:~# apt update
Hit:1 http://deb.debian.org/debian stable-backports InRelease
Hit:2 http://security.debian.org/debian-security stable-security InRelease
Ign:3 https://repo.vivaldi.com/stable/deb stable InRelease
Hit:4 https://repo.vivaldi.com/stable/deb stable Release
Hit:6 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/bullseye pgadmin4 InRelease
Hit:7 http://ftp.no.debian.org/debian stable InRelease
Hit:8 http://ftp.no.debian.org/debian stable-updates InRelease
Hit:9 https://dbeaver.io/debs/dbeaver-ce  InRelease
Hit:10 http://linux.dropbox.com/debian trixie InRelease
All packages are up to date.
root@marquez:~#

Neal

Hi @prahal!

Thanks for sharing this with the Community.

I've spoken to our team internally and they advised that you need to download and reinstall the latest .deb from our website.

This has affected a few users but this should fix the issue!

prahal

@Neal your fix worked. Indeed from https://www.dropbox.com/fr/install-linux I reinstalled the Ubuntu 22.10 and newer deb (24th of March 2026) on Debian Forky and this issue about obsolete SHA1 apt repo is fixed.

(the current deb is

https://www.dropbox.com/download?dl=packages/ubuntu/dropbox_2026.01.15_amd64.deb)