There is no need to do this and we don’t recommend to do. Because DietPi scripts expecting the current format. I just can repeat myself again: You don’t need to do anything now.
While the modernize-sources command was running, I saw:
Warning: Could not determine Signed-By for URIs: https://deb.debian.org/debian/, Suites: trixie-backports
After running apt update, in addition to the aforementioned Trixie-related warning, I see this:
Notice: Missing Signed-By in the sources.list(5) entry for 'https://deb.debian.org/debian'
Not sure what, if anything, needs to be done at this point. I just don’t feel comfortable seeing warnings and notices…
Better listen to him or some dietpi function will break.
You can revert the changes, just delete all the .sources files and rename the backup files by removing the .bak from the filename
Somehow, I did not see Joulinar’s message before attempting the modernization. Again, this is totally new territory for me, and I really don’t know what I am doing. Could someone please show me exactly how to delete the .sources and rename the .bak files?
Here is the content of /etc/apt/sources.list.d/debian.sources:
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian/
Suites: trixie-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
# Modernized from /etc/apt/sources.list
Types: deb
URIs: https://deb.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
I don’t see any .bak files. Am I looking in the wrong place?
You are looking inside one specific .sources file, but you need to look inside the whole folder:
ls /ect/apt/sources.list.d
Anyways, just execute this to revert it, it will give you a preview what will be changed
echo ".sources files to delete:"; find /etc/apt/sources.list.d/ -type f -name "*.sources"; echo ".list.bak files to rename"; find /etc/apt/sources.list.d/ -type f -name "*.list.bak" -exec bash -c 'echo "{} -> ${0%.bak}"' {} \;; read -p "Correct? [y/N] " ans; [[ $ans == "y" ]] && sudo find /etc/apt/sources.list.d/ -type f -name "*.sources" -exec rm -f {} + && sudo find /etc/apt/sources.list.d/ -type f -name "*.list.bak" -exec bash -c 'mv "$0" "${0%.bak}"' {} \; && sudo mv /etc/apt/sources.list.bak /etc/apt/sources.list
Then execute apt update to verify.
1 Like
Thank you very much Jappe! The script worked for me, I truly appreciate your help!
Please do NOT migrate to DEB822. Our scripts won’t find the lists anymore and any updates of them or keys etc will be missing, or duplicate lists will be created. We will migrate and apply this in a DietPi release soon.
You can/need to ignore the warnings about the keys. APT has tightened the rules for key algorithms, and not all 3rd party repos reacted to this yet, obviously including the RPi repo. However, the RPi repo key is managed with a package from this repo raspberrypi-archive-keyring. So an apt upgrade at some point will solve this.
EDIT: I see now the signey-by part in our raspi.list. We do not add this, since the keyring package adds it to /etc/apt/trusted.gpg.d/raspberrypi.gpg. Since I did not see this warning, could you try to remove the [signed-by=/usr/share/keyrings/raspberrypi-archive-keyring.gpg] block in your /etc/apt/sources.list.d/raspi.list and see whether this helps?
/usr/share/keyrings/raspberrypi-archive-keyring.gpg and /etc/apt/trusted.gpg.d/raspberrypi.gpg are supposed to be the same, but maybe they are not.
EDIT2: Oh yeah, the package now ships /etc/apt/trusted.gpg.d/raspberrypi-archive.asc, which likely solved it, but not if you link the other signing key manually with this signed-by.
1 Like
Understood about the migration, thank you very much.
Regarding [Edit 2], I see this:
/etc/apt/trusted.gpg.d$ ls
debian-archive-bookworm-automatic.asc debian-archive-trixie-security-automatic.asc
debian-archive-bookworm-security-automatic.asc debian-archive-trixie-stable.asc
debian-archive-bookworm-stable.asc dietpi-jellyfin.gpg
debian-archive-bullseye-automatic.asc dietpi-tailscale.gpg
debian-archive-bullseye-security-automatic.asc dietpi-webmin.asc
debian-archive-bullseye-stable.asc dietpi.asc
debian-archive-trixie-automatic.asc raspberrypi-archive.asc
Not sure what this tells you…
/etc/apt/trusted.gpg.d/raspberrypi-archive.asc is there as expected. So when you remove [signed-by=/usr/share/keyrings/raspberrypi-archive-keyring.gpg] from /etc/apt/sources.list.d/raspi.list, I assume the warning won’t show up anymore.
In /etc/apt/sources.list.d/raspi.list there is one entry: deb [signed-by=/usr/share/keyrings/raspberrypi-archive-keyring.gpg] http://archive.raspberrypi.org/debian/ trixie main
I deleted the entire entry, and after updating got a huge number of errors. I replaced the original entry and rebooted, but now see this:
sudo apt update
Hit:1 https://deb.debian.org/debian trixie InRelease
Hit:2 https://deb.debian.org/debian trixie-updates InRelease
Hit:3 https://deb.debian.org/debian-security trixie-security InRelease
Hit:4 https://download.webmin.com/download/newkey/repository stable InRelease
Hit:5 https://deb.debian.org/debian trixie-backports InRelease
Hit:6 http://archive.raspberrypi.org/debian trixie InRelease
Hit:7 https://repo.jellyfin.org/debian trixie InRelease
Get:8 https://pkgs.tailscale.com/stable/debian trixie InRelease
Err:6 http://archive.raspberrypi.org/debian trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CF8A1AF502A2AA2D763BAE7E82B129927FA3303E is not bound: No binding signature at time 2026-01-29T17:03:28Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Hit:9 https://dietpi.com/apt trixie InRelease
Hit:10 https://dietpi.com/apt all InRelease
Fetched 6582 B in 1s (5554 B/s)
All packages are up to date.
Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://archive.raspberrypi.org/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CF8A1AF502A2AA2D763BAE7E82B129927FA3303E is not bound: No binding signature at time 2026-01-29T17:03:28Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: Failed to fetch http://archive.raspberrypi.org/debian/dists/trixie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CF8A1AF502A2AA2D763BAE7E82B129927FA3303E is not bound: No binding signature at time 2026-01-29T17:03:28Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Warning: Some index files failed to download. They have been ignored, or old ones used instead.
I don’t know what has happened, but this isn’t going well…
Do not remove the entire entry,
The entry should look as follows, correct?
deb http://archive.raspberrypi.org/debian/ trixie main
Correct, or to recreate it the way dietpi-config would do:
G_EXEC eval "echo 'deb https://archive.raspberrypi.com/debian ${G_DISTRO_NAME/forky/trixie} main' > /etc/apt/sources.list.d/raspi.list"