Resolved: GPG Signature Warnings on Debian 13 and Modern Ubuntu

Resolved: GPG Signature Warnings on Debian 13 and Modern Ubuntu

Briefly

"If you've recently upgraded to Debian 13 ("Trixie") or a newer version of Ubuntu and suddenly started seeing security warnings when running apt update (or apt update --audit), don't worry. You didn't do anything wrong. This is a side effect of a broader security change across modern Linux distributions. SHA-1 signatures are being deprecated, and repositories that still rely on them may now trigger warnings or audits. What changed? We've rotated our GPG keys to SHA-512 and re-signed our repositories to align with modern security standards, using Sequoia-PGP. In short: Stronger signatures Better compatibility with modern OS policies No more GPG warnings for supported versions"

"Important: LTS versions only These security updates apply only to active LTS releases: Older versions such as Node.js 16 or 18 are now considered legacy and will not receive this signature update. Which version are you running? I'm using Node.js 20, 22, or 24 (LTS) Good news. Fixing this is straightforward. Re-run the setup script for your version. This will automatically refresh the GPG key. Example: Node.js 22.x curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt-get install -y nodejs I'm using Node.js 16 or 18 (Legacy / EOL) If you are running Node.js 16 or 18, you will likely continue to see these warnings. While these versions remain available for compatibility reasons, they: No longer receive active support Do not get updated security signatures Increasingly conflict with modern OS security policies Our recommendation: If you are on Debian 13 or a recent Ubuntu release, upgrade to Node.js 20 or newer to remain secure and compatible with modern systems. Example: upgrade to Node.js 20 curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt-get install -y nodejs"