The NodeSource Blog

You have reached the beginning of time!

All Posts

NodeSource

Resolved: GPG Signature Warnings on Debian 13 and Modern Ubuntu

by:

Estefany AguilarEstefany Aguilar

Jesús PazJesús Paz

in NodeSource  on Jan 22 2026

Resolved: GPG Signature Warnings on Debian 13 and Modern Ubuntu

If you’ve recently upgraded to Debian 13 (“Trixie”) or a newer version of Ubuntu and suddenly started seeing security warnings when running apt update (or apt update --audit), don’t worry. You didn’t do anything wrong.

This is a side effect of a broader security change across modern Linux distributions. SHA-1 signatures are being deprecated, and repositories that still rely on them may now trigger warnings or audits.

What changed?

We’ve rotated our GPG keys to SHA-512 and re-signed our repositories to align with modern security standards, using Sequoia-PGP.

In short:

  • Stronger signatures
  • Better compatibility with modern OS policies
  • No more GPG warnings for supported versions

Important: LTS versions only

These security updates apply only to active LTS releases:

  • Node.js 20
  • Node.js 22
  • Node.js 24

Older versions such as Node.js 16 or 18 are now considered legacy and will not receive this signature update.

Which version are you running?

I’m using Node.js 20, 22, or 24 (LTS)

Good news. Fixing this is straightforward.

Re-run the setup script for your version. This will automatically refresh the GPG key.

Example: Node.js 22.x

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs

I’m using Node.js 16 or 18 (Legacy / EOL)

If you are running Node.js 16 or 18, you will likely continue to see these warnings.

While these versions remain available for compatibility reasons, they:

  • No longer receive active support
  • Do not get updated security signatures
  • Increasingly conflict with modern OS security policies

Our recommendation:

If you are on Debian 13 or a recent Ubuntu release, upgrade to Node.js 20 or newer to remain secure and compatible with modern systems.

Example: upgrade to Node.js 20

curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt-get install -y nodejs

Why this matters

Security compliance

SHA-1 is officially considered insecure. Modern distributions such as Debian 13 are expected to fully block SHA-1 signed repositories by February 2026.

Infrastructure health

Focusing on LTS versions allows us to keep production environments consistent, secure, and well maintained.

Stability

Running Node.js 20 or newer helps ensure CI/CD pipelines do not fail due to OS level security audits or package verification issues.

Final thoughts

If you are running Node.js on modern Linux distributions, staying on an active LTS version is no longer just a best practice. It is essential for security and long term stability.

Updating your GPG keys or upgrading to Node.js 20 or newer ensures your system remains aligned with current OS security standards and avoids unexpected issues in future audits or CI/CD pipelines.

Thanks for running Node.js with NodeSource. 💚
Keeping your stack secure and up to date helps everyone move faster and safer.

Featured Articles

Categories

The NodeSource platform offers a high-definition view of the performance, security and behavior of Node.js applications and functions.

Start for Free