[Bug]: Apt just started rejecting SHA1 GPG signatures

[evilbunny2008]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

Not too sure where to post this, as the Ubuntu PPA doesn't seem to accept bug reports, but this is specific to the PPA.

As of a few hours ago at midnight on the 1st of February 2026 UTC APT started rejecting any repo keys still using SHA1 as APT now considered them too insecure, which includes the Nextcloud Devs Ubuntu PPA GPG key.

The hard error can still be overridden by using apt --allow-insecure-repositories update however APT is still really unhappy even then and prints out a big nasty red coloured warning about it.

When doing apt upgrade APT shows a prompt asking if you are really be sure you want to install the Nextcloud package updates and then APT defaults to no.

APT has been showing a warning for about 12 months about this deadline, but is now set to enforcement and hard errors without the above command line argument.

Steps to reproduce

apt update produces the following:

Warning: OpenPGP signature verification failed: https://ppa.launchpadcontent.net/nextcloud-devs/client/ubuntu noble InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1FCD77DD0DBEF5699AD2610160EE47FBAD3DD469 is not bound: No binding signature at time 2026-01-22T18:34:05Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Error: The repository 'https://ppa.launchpadcontent.net/nextcloud-devs/client/ubuntu noble InRelease' is not signed. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details.

Had similar problem with Cloudflare's signing key but they've published a new key which passes validation.

Expected behaviour

Shouldn't be any warnings or hard errors running apt update and apt upgrade

Which files are affected by this bug

Any APT repositories signed using a GPG key with a SHA1 hash

Which version of the operating system you are running.

Debian 13/Trixie

Package

Official PPA

[evilbunny2008]

For those that have automated update checks by programs like apticron there is no way to make sqv allow sha1 signatures that I have found so far, despite various default config files claiming otherwise.

I was constantly get emails with the above warnings every time apt was updated.

However, you can tell apt to revert to using gpgv which allows sha1 hashes.

mkdir -p /etc/apt/apt.conf.d
echo "APT::Key::GPGVCommand \"1\";" >> /etc/apt/apt.conf.d/25keypolicy

Then apt no longer displays errors or warnings about keys with sha1 hashes

[mgallien]

please report any issue with the Debian PPA in this repository

[evilbunny2008]

Where would that be?

[rotanid]

please report any issue with the Debian PPA in this repository

@mgallien which repository to report it in?