Elias, If anyone from the project is reading this, I do think it is important that we address this issue soon. Because of the outdated SHA1 signature, it is essentially impossible to install bacula in more modern operating systems without overriding or weakening security policies.
I do not speak for the bacula CE project, but I can say that I have ran into this issue with Rocky Linux 9 and Alma Linux 9. This was brought up with the project at that time at least a year ago, and so far no action. The only solutions that I was aware of were: 1. Globally allow SHA1 for package signing (not great). 2. Disable signature checking altogether for the bacula CE repo only. (not sure if this is better or worse than globally allowing SHA1 for package signing). At least, option 2 is more granular. Once you install bacula, you're unlikely to need to do signature verification again, and the official installation method locks you to a certain version at the repo level. I think the latest version of Debian may have bacula 15.x packages in the official repos, but I haven't personally confirmed this. I do think that there were a few confusing configuration changes made, to make bacula default to a 'safe' local only configuration. I would not normally advise the use of distribution repos to install bacula, but if the signature situation is unacceptable to you or your organization, that may be the only option besides making your own repo. Regards, Robert Gerber 402-237-8692 [email protected] On Wed, Feb 11, 2026 at 12:15 PM Elias Pereira <[email protected]> wrote: > Hi all, > > On Debian trixie (APT using sqv/Sequoia), apt update fails for the > Bacula.org repository with an error similar to: > > “Signing key …E9DF3643 is not bound … Policy rejected non-revocation > signature (PositiveCertification) requiring second pre-image resistance … > SHA1 is not considered secure since 2026-02-01”. > > This seems related to SHA1 being rejected by policy on newer systems, so > the repo is effectively unusable on trixie without weakening signature > verification. > > Is there an updated Bacula Distribution Verification Key (or re-signed > Release/InRelease) available that avoids SHA1, or any official > guidance/workaround planned for Debian trixie? > > Thanks, > -- > Elias Pereira > _______________________________________________ > Bacula-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/bacula-users >
_______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
