Cannot install on Ubuntu 24.10 due to weak/untrusted key

[fschoenm]

Describe the bug

On Ubuntu 24.10, jfrog-cli cannot be installed anymore as described on your download page (https://jfrog.com/getcli/) because the key algorithm (DSA-1024) is untrusted:

Get:7 https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease [4,675 B]
Err:7 https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease
  The following signatures were invalid: A3D085F542F740BBD7E3A2846B219DCCD7639232 (untrusted public key algorithm: dsa1024)
Warning: GPG error: https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease: The following signatures were invalid: A3D085F542F740BBD7E3A2846B219DCCD7639232 (untrusted public key algorithm: dsa1024)
Error: The repository 'https://releases.jfrog.io/artifactory/jfrog-debs xenial InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

Current behavior

Installation impossible from Ubuntu/Debian repo.

Reproduction steps

No response

Expected behavior

No response

JFrog CLI version

n/a

Operating system type and version

Ubuntu 24.10

JFrog Artifactory version

No response

JFrog Xray version

No response

[kellyschoenhofenge]

Same, 24.10, apt has dropped dsa1024. I believe NIST disallowed dsa1024 eleven years ago and it's been on apt's/canonical's deprecated list for years, it appears they finally followed through.

I read a bit on other companies in the same boat can "double sign", and it just takes a little work on our part to take the more secure key.

I'm willing to dumb-down my security for this, stupidly. Here's a workaround on 24.10:

sudo apt update # shows "untrusted public key algorithm: dsa1024"
sudo apt update --allow-insecure-repositories
sudo apt install jfrog-cli-v2-jf # success :(