Kathará repository signature considered insecure on debian 13

[salvle]

Operating System

Debian 13

Kathará Version

3.8.0

Bug Description

Hi i am trying to install Kathará on Debian 13 following the wiki instructions. Apparently since 2026-02-01 apt treats SHA1 signatures as insecure, leading to the following error:

root@debian:~# apt update
Hit:1 http://security.debian.org/debian-security trixie-security InRelease
Hit:2 http://debian.mirror.garr.it/debian trixie InRelease                 
Hit:3 http://debian.mirror.garr.it/debian trixie-updates InRelease         
Get:4 http://ppa.launchpad.net/katharaframework/kathara/ubuntu jammy InRelease [18.1 kB]
Err:4 http://ppa.launchpad.net/katharaframework/kathara/ubuntu jammy InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 21805A48E6CBBA6B991ABE76646193862B759810 is not bound: No binding signature at time 2025-07-28T17:42:16Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: http://ppa.launchpad.net/katharaframework/kathara/ubuntu jammy InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 21805A48E6CBBA6B991ABE76646193862B759810 is not bound: No binding signature at time 2025-07-28T17:42:16Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Error: The repository 'http://ppa.launchpad.net/katharaframework/kathara/ubuntu jammy InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

For now i managed to bypass the problem following the instructions in /usr/share/apt/default-sequoia.config to adjust the date that leads to this error.

Steps To Reproduce

Try to install Kathará on a fresh debian 13 install.

Expected Behavior

Kathará installs correctly.

Check Command Output

[tcaiazzi]

Dear @salvle,

Thanks for opening the issue and for pointing this out.

This happens because Launchpad (which hosts the Kathará PPA) still signs the repository metadata using SHA1. Unfortunately, the signing policy is managed by Launchpad itself, so we don’t have direct control over it. Moreover, since Launchpad is an Ubuntu service, we can’t predict when (or if) they will update it to a modern scheme accepted by Sequoia.

To address this long term, we plan to set up a self-hosted APT repository with modern signatures compatible with Sequoia.

Meanwhile, starting with the next releases (a new one is coming soon), we will also publish .deb packages directly on GitHub so Debian users can install Kathará without relying on the Launchpad PPA.

[tcaiazzi]

Hi @salvle,

You can find .deb packages for the new version on the releases page.