Error updating apt repo: Policy rejected packet type Caused by: Signature Packet v3 is not considered secure

[er0k]

What happened:

I recently updated apt to 2.9.19 on Debian sid and I'm unable to update the kubernetes repositories. When I run apt update I get this error:

Get:4 https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease [1,186 B]
Err:4 https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Hit:17 https://download.sublimetext.com apt/dev/ InRelease
Warning: GPG error: https://prod-cdn.packages.k8s.io/repositories/isv:/kubernetes:/core:/stable:/v1.32/deb  InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Error: The repository 'https://pkgs.k8s.io/core:/stable:/v1.32/deb  InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.

What you expected to happen:

I can run apt update to update kubernetes package information

How to reproduce it (as minimally and precisely as possible):

1. configure kubernetes apt repo according to these instructions
2. use apt 2.9.19
3. run apt update

Anything else we need to know?:

apt-listchanges says:

apt (2.9.19) unstable; urgency=medium

This release switches to OpenSSL for hashing and TLS, replacing the
GnuTLS and gcrypt libraries.

I'm not sure if this is a bug in apt, but all my other repositories are working fine, only the kubernetes repo is throwing this error. apt update works fine in Debian stable (12/bookworm) using apt 2.6.1 with the kubernetes repo.

Environment:

$ uname -srvo
Linux 6.12.6-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.6-1 (2024-12-21) GNU/Linux

$ apt --version
apt 2.9.19 (amd64)

$ head -n1 /etc/os-release 
PRETTY_NAME="Debian GNU/Linux trixie/sid"

$ openssl version
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)

[xmudrii]

I can confirm this issue, however, this issue is with our repositories provider (OpenBuildService) and we can't do much about this at the moment. We'll raise this issue with them, but given it's the holidays seasons, it might take a while for this to get sorted out.

For time being, I advise staying away from apt 2.9.19 if possible. apt 2.9.16 is working fine.

/triage accepted
/priority critical-urgent
/assign

[xmudrii]

Update: I've sent a message to the OpenBuildService folks via their IRC channel.