Can't update in Denian 13 Trixie

VanSnyder · ‎09-02-2025

I added intel-oneapi to /etc/apt/sources.list.d/intel-oneapi.list after installing Debian 13 (Trixie)

echo "deb https://apt.repos.intel.com/oneapi all main" | sudo tee /etc/apt/sources.list.d/intel-oneapi.list

I installed new keys:

wget -qO /etc/apt/trusted.gpg.d/intel-oneapi.asc https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

(The new keys are the same as the ones I already had, dated 2 Oct 2023.)

I got this when I tried to update :

root@Blue:~# apt update

Hit:1 http://security.debian.org/debian-security trixie-security InRelease

Hit:2 http://deb.debian.org/debian trixie InRelease

Get:3 http://deb.debian.org/debian trixie-updates InRelease [47.1 kB]

Get:4 https://apt.repos.intel.com/oneapi all InRelease [5,680 B]

Err:4 https://apt.repos.intel.com/oneapi all InRelease

  Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature:            Malformed MPI: leading bit is not set: expected bit 8 to be set in  1010100 (54)

Warning: OpenPGP signature verification failed: https://apt.repos.intel.com/oneapi all InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Verifying signature:            Malformed MPI: leading bit is not set: expected bit 8 to be set in  1010100 (54)

Error: The repository 'https://apt.repos.intel.com/oneapi all InRelease' is not signed.

Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.

Notice: See apt-secure(8) manpage for repository creation and user configuration details.

(1) Why has signature verification failed? Is it because Debian switched to sqv and Intel didn't?

(2) Is there a work-around?

FrancoisiocnarF · ‎09-04-2025

According to te Debian developer at https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1099438

the Intel OneAPI repository was created with a broken OpenPGP tool.

jwmwalrus · ‎09-04-2025

I started getting similar errors when Debian Testing switched from its old gpg verification, to a new, Rust-based, one.

So, the key still works for Debian 12, etc. But since Debian Testing became Debian 13 last month, and its new gpg verification is less forgiving, maybe a new key is needed.

Ron_Green · ‎09-19-2025

I am not an expert in gpg keys. I will escalate this to our repo managers. I am concerned that the new verification scheme does not accept older keys. I can imagine that Intel's repo is not the only one caught by surprise. I am concerned that if we switch to a new key that OLDER distros will accept the new key. These are the problems that concern me.

I do know that in our System Requirements document we only officially support Deb 12. Deb 13 just came out August 9th.

For perspective, for 2025.2 we hit code freeze end of April. We validated the solution with the available OS versions across Windows, Visual Studio, RHEL, Fedora, Ubuntu, Deb, etc. at that point of time in the May timeframe. My point here is that although it is tempting to stay up to date with your distribution releases, a bit of caution is required if you have 3rd party applications such as compilers, binutils, linkers, glibc, X11 headers, Python versions, etc. For Linux we are lucky that MOST OF THE TIME newer distro Update releases do not cause breakages. Visual Studio, for example, breaks us frequently with their minor version updates. In the case of Deb, you went from one major release to a new major release. Major releases are when glibc and headers may break tools, key validation schemes, pgp versions, as in this case.

I will find our repo managers and see if they are aware of the key problems with Deb 13.

NineMeow · ‎10-25-2025

Any updates? It has been a while and the broken key issue still exists.

I'm looking forward to testing oneAPI 2025.2, but am used to install oneAPI via APT.