Raspbian Trixie upgrade
The Raspberry Pi Foundation has just released a major update to Raspberry Pi OS, now based on Debian “trixie.” If you’re running the previous version (based on Debian “bookworm”), you might be wondering whether to upgrade your existing setup or start fresh. Here’s everything you need to know to make an informed decision. I am upgrading my old Pi 3 since the others I have are using Ubuntu. I still have this Pi for apps that work on 32bit arm CPU architecture.
The Clean Install vs. Upgrade recommendation
When it comes to major OS upgrades, the Raspberry Pi Foundation recommends a clean installation. This means downloading the latest image from Raspberry Pi Imager or the official website, flashing it to your SD card, and then reinstalling your applications and transferring your data.
Why such a strong recommendation? The reality is that while upgrading an existing system is technically possible, it’s fraught with potential pitfalls. The Foundation can only test clean images. They can’t account for every possible combination of third-party software, custom configurations, and modifications that users might have applied over time. Any of these factors could cause the upgrade to fail in unpredictable ways, potentially leaving you with a system that won’t boot.
Before You Consider Upgrading
If you’re still interested in attempting an in-place upgrade despite the risks like me, here are some critical prerequisites:
- Back up everything first. Or don’t if you like to be risky.
- Never attempt this on a system you’re actively relying on for important tasks.
- Understand that you’re proceeding entirely at your own risk.
It’s also worth reviewing Debian’s official guidance on upgrading from bookworm to trixie for additional context. Raspberry pi OS is based on Debian.
The Upgrade Process
If you’ve weighed the risks and decided to proceed, here’s the upgrade process:
Step 1: Update Your Current System
Start with a bookworm image and ensure it’s fully updated:
sudo apt update
sudo apt full-upgrade
Step 2: Configure APT for Trixie
You’ll need to update your package sources to point to trixie instead of bookworm. The easiest way to do this is using the sed
command, which will automatically replace all instances of “bookworm” with “trixie” in your configuration files.
First, update the main sources list:
sudo sed -i 's/bookworm/trixie/g' /etc/apt/sources.list
Then update all the files in the sources.list.d directory:
sudo sed -i 's/bookworm/trixie/g' /etc/apt/sources.list.d/*.list
These commands work by searching for every occurrence of “bookworm” and replacing it with “trixie” in place (-i
flag). On a clean image, this will primarily affect the raspi.list
file, but if you’ve added additional repositories, those will be updated as well.
Warning: If one of your sources does not have a repo set up for Trixie, it will fail and the repo will be disabled. Proceed at your own risk.
Step 3: Refresh Package Lists
sudo apt update
Step 4: Remove Obsolete Packages
Remove unused packages. Check if you have one troublesome package in particular:
sudo apt purge -y raspberrypi-ui-mods
sudo apt autoremove -y
Step 5: Perform the Major Upgrade
Enter this command with the additional options even though they look strange compared to most shell commands.
sudo apt full-upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --purge --auto-remove
During this process, you’ll be prompted about restarting services. Answer “yes” to this question. If you’re asked anything else, “yes” is likely the correct response.
Step 6: Install New Trixie Packages (optional)
If you are using a desktop environment, you can install new packages added in Trixie:
sudo apt install -y rpd-wayland-all rpd-x-all
Step 7: Finish Up
Once the upgrade completes without errors, run sync
to ensure all filesystem caches are cleared, then reboot your system:
sync
sudo reboot
Verifying Your Upgrade
When your desktop returns, you can confirm you’re running trixie by opening a terminal and typing:
lsb_release -c
This should display “trixie” as your current codename.
Upgrade issues
I had one issue with the upgrade. My static ip config in /etc/dhcpcd.conf stopped working so I went back to defining my network interface in a new file in /etc/network/interfaces.d/static
auto eth0
iface eth0 inet static
address 10.0.0.2
gateway 10.0.0.1
dns-nameservers 10.0.0.1 10.0.0.99
Restart networking service: sudo systemctl restart networking.service
.
Second issue
This post was updated 2025-10-06 after I saw apt failed to update
A number of days after doing the upgrade I tried to update the packages using apt update
but this failed:
Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://archive.raspberrypi.org/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key [removed] which is needed to verify signature
This error occurs because Debian 13 (Trixie) uses a new signature verification system (sqv from Sequoia-PGP) instead of the old apt-key method, and the Raspberry Pi repository key isn’t recognized by the new system.
The fix should be to install the Raspberry Pi archive key and reference it with signed-by
. First check for /etc/apt/keyrings
directory on the system. This is where we will add the key for the apt repo.
Now we need to download and install the appropriate key from the apt repo:
curl -fsSL https://archive.raspberrypi.org/debian/raspberrypi.gpg.key \
| sudo gpg --dearmor -o /etc/apt/keyrings/raspberrypi-archive-keyring.gpg
# Update the file permissions once downloaded
sudo chmod 0644 /etc/apt/keyrings/raspberrypi-archive-keyring.gpg
Point your source list at the keyring (adjust cpu arch if needed):
# File is usually /etc/apt/sources.list.d/raspi.list
# Example:
deb [arch=arm64 signed-by=/etc/apt/keyrings/raspberrypi-archive-keyring.gpg] http://archive.raspberrypi.org/debian trixie main
This will enable updates but now apt produces a warning. This however is on the package maintainers to address, not us end users:
Warning: http://archive.raspberrypi.org/debian/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://archive.raspberrypi.org/debian/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on CF8A1AF502A2AA2D763BAE7E82B129927FA3303E is not bound:
No binding signature at time 2025-10-06T13:33:19Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Running sudo apt update --audit
produced the additional output that reveals that while the signature is valid, it is using a legacy algorithm that will be considered deprecated staring February 2026.
Afterwards I saw another message that we can run a command to update the existing sources to a new format with modernize-sources
. This lists what it will do:
sudo apt modernize-sources
The following files need modernizing:
- /etc/apt/sources.list
- /etc/apt/sources.list.d/100-ubnt-unifi.list
- /etc/apt/sources.list.d/docker.list
- /etc/apt/sources.list.d/raspi.list
Modernizing will replace .list files with the new .sources format,
add Signed-By values where they can be determined automatically,
and save the old files into .list.bak files.
This command supports the 'signed-by' and 'trusted' options. If you
have specified other options inside [] brackets, please transfer them
manually to the output files; see sources.list(5) for a mapping.
For a simulation, respond N in the following prompt.
Rewrite 4 sources? [Y/n]
Here is an example of what happened to /etc/apt/sources.list
. It became a new file /etc/apt/sources.list.d/raspbian.sources
:
# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://raspbian.raspberrypi.org/raspbian/
Suites: trixie
Components: main contrib non-free rpi
Signed-By: /usr/share/keyrings/raspbian-archive-keyring.gpg
Now when you run apt it will use this file to update that repo.