Rotating keys for Session repos

The signing key used for Session’s APT repositories and Github releases is being rotated. The old key uses the SHA1 algorithm — which will be completely rejected by APT as of version 1.2.7 (February 1 2026). 

As such, this key has now been updated. This means users who have installed software packages from the deb.oxen.io APT repository, like session-desktop or session-service-node, need to to install the updated signing public keys to continue installing and updating Session-related packages from these repositories. 

In order to continue receiving updates for Session-related repositories, you need to update by February 1, 2026. However, if you are not a Session Node Operator or Linux user — you can likely disregard this post.

Those who need to can update now, as the updated key is able to validate the repository packages using both the old and new keys. If you do not update by February 1, you will begin seeing errors when updating package lists (and resultingly not be able to update). As an example, you may see the following error(s):

Warning: OpenPGP signature verification failed: https://deb.oxen.io trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 3025F17897F46CB5538178CA401E790E060BB00E, which is needed to verify signature.

How to install the updated keys

Note that if you are stuck using the below guide, further instructions are also available here.

The following is the simplest way of downloading the new key so that your existing configuration will keep working:

sudo curl -so /etc/apt/trusted.gpg.d/session-foundation.gpg https://deb.session.foundation/pub.gpg

Note: Do NOT use this if you are setting up the repository for the first time! 

Note that, by default, the above set-up will accept the STF keys as valid for any repository. If you prefer a set-up wherein the STF’s keys are only accepted for Session-related repositories, follow these directions instead. 

1. Delete the pre-existing file /etc/apt/trusted.gpg.d/oxen.gpg

2. Delete the pre-existing file /etc/apt/sources.list.d/oxen.list

3. Store a copy of the updated STF signing key, using:

sudo curl -so /usr/share/keyrings/session-foundation.gpg https://deb.session.foundation/pub.gpg

4. Create a file in etc/apt/sources.list.d with a .sources extension (for example, session.sources), containing:

Types: deb

URIs: https://deb.session.foundation

Suites: DISTRO (see below!)

Components: main

Signed-By: /usr/share/keyrings/session-foundation.gpg

5. Change the Distro value in the above file to match the codename of your release (you can also check using lsb_release -sc): 

- sid      (Debian unstable)

- forky    (Debian testing, eventually Debian 14)

- trixie   (Debian 13)

- bookworm (Debian 12)

- questing (Ubuntu 25.10)

- noble    (Ubuntu 24.04)

- jammy    (Ubuntu 22.04)

6. Update your local package cache with sudo apt update

7. Now, you can install one or more of the following packages as desired: 

- session-service-node

- oxend

- oxen-storage-server

- lokinet-router

- lokinet

- session-router-relay

- session-desktop

8. From this point forwards, you should be able to sync and upgrade your repositories as normal, using:

a) sudo apt update

b) sudo apt upgrade As a final note, there is also a new deb.session.foundation URL for the repository, but it's the same repository as the pre-existing deb.oxen.io domain name (and both will continue to work).

Help for those in need

For those seeking help with the upgrade, you can find support in the Session Node operators channel on Telegram, the Session Token Discord, or on Session.