The Session team has announced a critical signing key rotation for its APT repositories and GitHub releases, driven by the upcoming rejection of the SHA-1 algorithm in APT version 1.2.7, which takes effect on February 1, 2026.
Users who rely on Session-related Debian packages must install the new signing key to continue receiving updates without interruption.
The Session team clarified that the previously used signing key leveraged SHA-1, a cryptographic hash function that has been deprecated for years due to known weaknesses. As APT prepares to enforce the rejection of SHA-1 signatures, the move to a new key ensures compatibility with future updates.
Session is a privacy-focused messaging platform built atop the Oxen network, which offers a range of privacy-preserving technologies including the Lokinet onion-routing network and Session Desktop, a decentralized encrypted messenger. Many of its services, including session-desktop, session-service-node, and lokinet-router, are distributed via APT repositories hosted at deb.oxen.io. These packages are especially critical for Linux-based node operators and privacy infrastructure maintainers.
To maintain package update functionality beyond February 1, 2026, users must replace the old signing key with a new one hosted at https://deb.session.foundation/pub.gpg. Those who fail to do so will encounter signature verification errors when attempting to update, such as:
OpenPGP signature verification failed: https://deb.oxen.io trixie InRelease: Missing key 3025F17897F46CB5538178CA401E790E060BB00EThe simplest method for updating the key involves downloading it directly into the trusted GPG directory using:
sudo curl -so /etc/apt/trusted.gpg.d/session-foundation.gpg https://deb.session.foundation/pub.gpgHowever, this method configures APT to trust the key for all repositories. Users seeking tighter security boundaries can instead configure APT to only trust the key for Session repositories. This involves purging existing oxen.gpg and source list files, downloading the new key to a shared keyring, and configuring a .sources file pointing to the updated deb.session.foundation domain. Full step-by-step instructions were provided in the official announcement.
Despite the shift to the new domain, the older deb.oxen.io repository URL remains functional and both will serve identical content.
Linux users and node operators are strongly encouraged to complete this key rotation before February 1 to avoid disruption. Those not managing Session nodes or using Linux distributions can safely ignore this update.
For assistance, users can seek help in the Session Node Operators channel on Telegram, the Session Token Discord server, or via Session itself.
Leave a Reply