[Workaround] Apt Warning: Signature Key Uses Weak Algorithm

Got weak signature key warning in apt command output? Here’s why, and how to get rid of it in Ubuntu 24.04.

After adding PPAs or third-party source repositories in Ubuntu 24.04, you may get following similar warning in apt command (usually apt update) output:

W: https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu/dists/noble/InRelease: Signature by key 0AB215679C571D1C8325275B9BDB3D89CE49EC21 uses weak algorithm (rsa1024)

The warning may also happen in Debian and its based systems with apt package manager 2.7.13 or higher.

Due to crypto policy update, apt now (since v2.7.13, see the commit) requires repositories to be signed using one of the following public key algorithms:

  • RSA with at least 2048-bit keys
  • Ed25519
  • Ed448

The 1024-bit RSA keys, that are in use for launchpad PPA at the moment of writing, as well as DSA keys (not possible to use anymore), and ECC keys (NIST P-{256,384,521}, Brainpool P-{256,384,512}, secp256k1) are widely considered UNSAFE.

Ubuntu 24.04 includes apt 2.7.14 with policy update (see the discourse page). The UNSAFE keys are still working so far, but you’ll see the warning as mentioned above.

For Ubuntu PPAs (host on launchpad.net), no action is needed! Ubuntu Team will upgrade the keys to 4096-bit RSA.

PPAs are currently in the process of being upgraded to a 4096-bit RSA key and we expect that upgrade to be complete by release time. No action is needed (or possible) from PPA owners.

If you are currently using 24.04 before it is released, you will need to refresh the PPA signing keys when the warning becomes an error. We plan to provide easy functionality in add-apt-repository to do so, such that you do not need to remove and re-add the PPAs.

How to Override the Policy Change

So, if you can’t wait for maintainers to upgrade the keys or you just trust the current keys, then you can add a rule to get rid of the warning.

1. First, press Ctrl+Alt+T to open up a terminal window. When it opens, run command to create a config file for apt:

sudo nano /etc/apt/apt.conf.d/99weakkey-warning

Here I use nano command line text editor works in most desktops, you can replace it with gnome-text-editor for 24.04 with default GNOME, or other editor depends on your desktop environment. And, you may replace file-name 99weakkey-warning to whatever that you want.

2. When file opens, add the line below and change (or add) the value according to your need:

APT::Key::Assert-Pubkey-Algo “>=rsa1024,ed25529,ed448”;

The default key algorithms are “>=rsa2048,ed25529,ed448“. In my case (see the screenshot above), the warned key uses “rsa1024“. So, I replace the value >=rsa2048 with >=rsa1024.

For example, you want to allow secp256k1 (run sudo apt update to get the key algorithm in warning), then replace that line with:

APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25529,ed448,secp256k1";

Or, just leave it blank so all the key algorithm trusted by GnuPG should be allowed, so it will be:

APT::Key::Assert-Pubkey-Algo "";

After editing, press Ctrl+S to save file, and Ctrl+X to exit. And, run sudo apt update command to verify the change.

How to Restore

To restore the change, simply delete the config file that you created, by running command in terminal (Ctrl+Alt+T):

sudo rm /etc/apt/apt.conf.d/99weakkey-warning

Finally, run sudo apt update to refresh system package cache.