Hello, how do I fix this? Thanks

/etc/apt/sources.list.d/enpass.sources
Types: deb
URIs: https://apt.enpass.io/
Suites: stable
Components: main
Signed-By: /etc/apt/trusted.gpg.d/enpass.gpg

Warning: https://apt.enpass.io/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://apt.enpass.io/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on B6DA722E2E65721AF54B93966F7565879798C2FC is not bound:
              No binding signature at time 2025-01-06T06:23:46Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

 

Edited May 16, 2025May 16 by troypulk1

We are looking into the issue with the technical team and will follow up with an update soon.

 

#SI-4367

On 5/20/2025 at 7:27 AM, Tarun Singh Rawat said:

We are looking into the issue with the technical team and will follow up with an update soon.

 

#SI-4367

Hi,

Any news about it ?
Thanks

Our technical team has alredy acknowledged the issue and is actively working on a solution. Fixing this bug may take some time, and the resolution will be included in the upcoming updates of the application. 

We appreciate your patience and understanding.

It's not a bug ....

That’s right, this isn’t a bug in the traditional sense. What’s happening is expected: our signing key is nearing the end of its validity window under the updated policy requirements (specifically, stricter hashing rules around SHA-1). We’re fully aware that this needs updating.

Rest assured, our technical team is already working on rotating the signing key.
Once that’s ready, it will be rolled out in an upcoming update. Thanks for your patience and for helping us improve the Linux install experience

Is there any update on this issue? It is still objecting and an updated signing key would remove the error.  Thanks

We appreciate you following up, and thank you for your patience. Our technical team is actively working on this, and we’ll keep you updated as soon as we have more to share.

Is there any update on this issue? The first report in this thread is from May 16th!

The feature request is under review by our technical team and awaiting prioritization. We aim to incorporate it into our roadmap in the near future.

After 2026-02-01T00:00:00Z Enpass Linux Version 6.11.12 (1953) will no longer be secure / work properly.

YOU HAVE 1 MORE DAY!!

yeah. this is ridiculous. You cant wait 6 months rotating a gpg key for a PASSWORD(!!!!) Manager. Im happy to pay for a service. But this is not the first time, you really do poor support. It feels to me this product is dead and you should switch to open source solutions which get actual updates.

17 hours ago, troypulk1 said:

After 2026-02-01T00:00:00Z Enpass Linux Version 6.11.12 (1953) will no longer be secure / work properly.

YOU HAVE 1 MORE DAY!!

And now:

Obj:4 https://repository.spotify.com stable InRelease
Err:2 https://apt.enpass.io stable InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on B6DA722E2E65721AF54B93966F7565879798C2FC is not bound:
No binding signature at time 2025-07-28T06:45:22Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

On 2/1/2026 at 1:31 AM, TheBigK said:

yeah. this is ridiculous. You cant wait 6 months rotating a gpg key for a PASSWORD(!!!!) Manager. Im happy to pay for a service. But this is not the first time, you really do poor support. It feels to me this product is dead and you should switch to open source solutions which get actual updates.

Exactly, we talking about supplying a new key here for new installs or update old ones. That is done in 10 Minutes at max with asking ChatGPT how to do it... Pathetic. Time to switch

On 1/12/2026 at 2:16 PM, Tarun Singh Rawat said:

The feature request is under review by our technical team and awaiting prioritization. We aim to incorporate it into our roadmap in the near future.

Seriously? Waiting for prioritization? Adding it to the roadmap?

What level of priority are we talking about for securing a password manager?

This was already brought to your attention last May. Eight months! 8!

The truth is, there doesn't seem to be a technical team for the Linux version anymore. It's time to look elsewhere.

8 hours ago, NikosBzh said:

The truth is, there doesn't seem to be a technical team for the Linux version anymore. It's time to look elsewhere.

I'd like to second that.

It's unacceptable that this problem has been known for eight months and no one feels responsible for fixing it. All we get from support is blah blah blah.

I've been using Empass for many years under Debian and I'm happy with it. I'd even pay for the Linux version, but not under these conditions.

For a password manager, I expect the generally accepted rules to be followed.

But that doesn't seem to matter to you.

I'll wait a while longer, but then I'll switch programs, I'm sorry to say.

Error message

Warnung: Während der Überprüfung der Signatur trat ein Fehler auf. Das Depot wurde nicht aktualisiert und die vorherigen Indexdateien werden verwendet. OpenPGP-Signaturüberprüfung fehlgeschlagen: https://apt.enpass.io stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on B6DA722E2E65721AF54B93966F7565879798C2FC is not bound: No binding signature at time 2025-07-28T06:45:22Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Edited February 4Feb 4 by geier

I came across this other topic opened in July 2021. I had never read other topics before, but I should have.

It concerns the implementation of FIDO2 or YubiKey security keys.

The response given in July 2021: “This is already in our pipeline and we plan to introduce support for it near the end of this year. Thanks!”

The responses over the months/years are all similar. Our team is working on it, thank you for your patience, blah blah blah....

And the response from January 12, 2026: “The feature request is under review by our technical team and awaiting prioritization. We aim to incorporate it into our roadmap in the near future.”
Almost five years later, it still hasn't been done.

Does that remind you of another response?

No, this is not a joke.

I can no longer believe that there is a viable development team.

While I was a firm believer in Enpass for many years, recent developments have convinced me that this has turned into nothing more than a cash grab. The product is no longer user-oriented and shows little to no real focus on improvement.

At this point, I honestly believe the software itself is essentially dead. Development feels stagnant, communication is minimal, and critical issues keep piling up without meaningful action.

I can no longer recommend Enpass, even though I personally convinced more than six people to adopt it in the past.

The way the “team” handles requests, bug reports, and improvement suggestions is simply unacceptable and, frankly, business-killing. I’m not even convinced there is a real team left, it feels more like a handful of people copy-pasting AI-generated responses. Letting something as basic as a signature expire only reinforces the impression that they no longer care.

For users on a monthly subscription, my honest advice is to cancel and switch to an alternative. For those of us who paid for a “lifetime” license: I’m still trying to figure out how to get out of this without just writing it off as a loss.

Edited February 5Feb 5 by AnakinCaesar

Just ran into this, still not fixed? Can't install it anymore.

Edited February 5Feb 5 by keriati

On 2/5/2026 at 5:55 PM, keriati said:

Just ran into this, still not fixed? Can't install it anymore.

If you use apt (debian, ubuntu) you can force install with --allow-insecure-repositories

Thanks to @randomguy for a work around. It seems Debian is enforcing the secure certificate test, and Ubuntu and derivatives are more permissive; I don't get the error there. I too wonder if there is any real team there, at least on Linux. But for me, it is still the best solution and as long as it continues to work, there are no reported vulnerabilities, and there are no clear alternatives, it seems like it will be best to continue. However, I plan to evaluate periodically.

19 hours ago, JeffB said:

(...) there are no reported vulnerabilities, and there are no clear alternatives, (...)

Really?
Since 2005, SHA-1 has not been considered secure. For many years now, large organizations have stopped using it.

https://en.wikipedia.org/wiki/SHA-1

This is a huge problem for a secure password manager.

Take a look at Proton Pass. In my opinion, it has become quite mature and fulfills the functions I expect.

I agree SHA-1 is vulnerable, but it still requires significant effort. So far I am comfortable with the available security level. And I hope that the Enpass team can get their security updates distributed.

Another point about the Linux version. It is still not Wayland compatible.

However, the request was made in 2021, with a release date announced for the end of 2021.
I'll let you guess the responses from the ‘Enpass team’.

Read here : https://discussion.enpass.io/index.php?/topic/1134-not-compatible-with-wayland/#comments

Will Enpass ever update?

https://www.phoronix.com/news/Linux-7.0-Modules-No-SHA1-Sign