No trixie repo and "Policy will reject signature within a year"

[ervee]

Hi,

When I change my Debian APT sources file from https://cpkg.datto.com/datto-deb/public/bookworm/ to https://cpkg.datto.com/datto-deb/public/trixie/ I get an error:

Error: The repository 'https://cpkg.datto.com/datto-deb/public/trixie trixie Release' does not have a Release file.

So I left it at "bookworm". But now APT will show the error:

Warning: https://cpkg.datto.com/datto-deb/public/bookworm/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details

When I run apt update --audit this is the complete output:

Hit:1 https://security.debian.org/debian-security trixie-security InRelease
Hit:2 https://deb.debian.org/debian trixie InRelease
Hit:3 https://deb.debian.org/debian trixie-updates InRelease
Hit:4 https://cpkg.datto.com/datto-deb/public/bookworm bookworm InRelease
31 packages can be upgraded. Run 'apt list --upgradable' to see them.
Warning: https://cpkg.datto.com/datto-deb/public/bookworm/dists/bookworm/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://cpkg.datto.com/datto-deb/public/bookworm/dists/bookworm/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 70DED76DCD1FA875B97CC75B370C85D709D26407 is not bound:
              No binding signature at time 2025-05-15T11:32:06Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

So Debian Trixie is banning SHA1 signatures starting February 2026.

The current key at https://cpkg.datto.com/DATTO-PKGS-GPG-KEY (from the INSTALL.md info) is the same I have on my system so that's probably the old SHA1 key. Should this be updated to a more modern key, perhaps starting from a new Trixie repo?