EternalTerminal icon indicating copy to clipboard operation
EternalTerminal copied to clipboard
verified publisher icon MisterTea

Debian package causes warning on every `apt update`: Policy will reject signature within a year

Open brainsik opened this issue 4 months ago • 4 comments

After installing the et Debian package, every time I run apt update I see the following warning:

Warning: https://mistertea.github.io/debian-et/debian-source/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details

Running with --audit shows:

Audit: https://mistertea.github.io/debian-et/debian-source/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 1B7807C5BEBF69CB10E66BD6F965077657E85C2D is not bound:
              No binding signature at time 2024-05-05T17:08:45Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Debian 13 (trixie) using the 6.2.9-trixie1 Debian package.

brainsik avatar Aug 22 '25 20:08 brainsik

Hi, thanks for reporting! How do we fix that?

MisterTea avatar Aug 23 '25 22:08 MisterTea

According to chatGPT:

Regenerate your self-signatures (and subkey binding signatures) using SHA-256+ and republish the updated certificate.

Configure GnuPG to use strong digests for certifications:

# ~/.gnupg/gpg.conf
cert-digest-algo SHA256
personal-digest-preferences SHA512 SHA384 SHA256
# (optional) tighten preferences you advertise:
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed


Re-issue fresh self-sigs (any update that touches prefs/expiry will do it):
gpg --edit-key <YOUR-FINGERPRINT>
gpg> showpref        # (optional) inspect advertised prefs
gpg> updpref         # writes a new self-sig using cert-digest-algo
gpg> expire          # set the same or a new expiry; also refreshes subkey bindings
gpg> save

(Changing expiry or preferences forces GnuPG to write new self-/binding signatures with SHA-256.) Red Hat had to do exactly this when older keys still had SHA-1 bindings even though packages were signed with SHA-256.

Verify the result:
sq inspect --cert <(gpg --export <YOUR-FPR>)

ekacnet avatar Aug 23 '25 23:08 ekacnet

Underlying cause

Internally, apt uses "Sequoia PGP" to verify signatures - hence the message that /usr/bin/sqv returnes an error code in your example above. By default, sqv is configured to accept the (old and broken) SHA1 hash algorithm only until Feb 1st 2026.

How to resolve this issue

There's nothing you can do besides raising awareness for this issue.
This issue can only be resolved by the project team, who need to change their repo signing key to one that does not use SHA1.

How to temporarily suppress this warning until this repo uses another key

To reconfigure sqv, copy /usr/share/apt/default-sequoia.config to /etc/crypto-policies/back-ends/apt-sequoia.config, and change the date in the last line from 2026-02-01 to ex. 2027-02-01. (more)

Please think about possible implications and do not forget to revert this, once the project team has switched to another key.

jniggemann avatar Aug 31 '25 07:08 jniggemann

The previous comment is not relevant as far as this issue is concerned. The underlying cause is that the key you used to sign the packages uses the old, insecure SHA1 algorithm, and will stop working. So you need to generate a new key and use that to sign the packages. See the Debian packaging docs.

The previous comment was how the user can suppress the warning.

shampeon avatar Nov 09 '25 22:11 shampeon