So Ubiquiti decided to keep using sha1 it seems. Sigh.

Kinda clean solution (something like this to extend the lifetime of those signatures (which you can repeat if they still haven’t fixed it by next year):):

mkdir -p /etc/crypto-policies/back-ends
cp -a /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config
sed -Ei '/^sha1.second_preimage_resistance /s/ = [0-9-]+/ = 2027-02-01/' /etc/crypto-policies/back-ends/apt-sequoia.config 

Ugly workaround.

echo "APT::Key::GPGVCommand "1";" > /etc/apt/apt.conf.d/99-gpg

Now apt update works again… Let’s hope they fix their keys quickly!