Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #891
devuan-keyring: New signing key needed?

version graph

Package: devuan-keyring; Maintainer for devuan-keyring is Devuan Developers <devuan-dev@lists.dyne.org>; Source for devuan-keyring is src:devuan-keyring.

Reported by: Martin <Martin@lichtvoll.de>

Date: Mon, 26 May 2025 15:18:01 UTC

Severity: normal

Found in version devuan-keyring/2023.10.07

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#891: devuan-keyring: New signing key needed?
Reply-To: Mark Hindley <mark@hindley.org.uk>, 891@bugs.devuan.org
Resent-From: Mark Hindley <mark@hindley.org.uk>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: Devuan Developers <devuan-dev@lists.dyne.org>
X-Loop: owner@bugs.devuan.org
Resent-Date: Sun, 27 Jul 2025 17:38:01 +0000
Resent-Message-ID: <handler.891.B891.17536377857937@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: followup 891
X-Devuan-PR-Package: devuan-keyring
X-Devuan-PR-Keywords: 
References: <12678847.O9o76ZdvQC@lichtvoll.de> <12678847.O9o76ZdvQC@lichtvoll.de> <aD3LbBatRfW-nivX@hindley.org.uk> <12678847.O9o76ZdvQC@lichtvoll.de>
X-Devuan-PR-Source: devuan-keyring
Received: via spool by 891-submit@bugs.devuan.org id=B891.17536377857937
          (code B ref 891); Sun, 27 Jul 2025 17:38:01 +0000
Received: (at 891) by bugs.devuan.org; 27 Jul 2025 17:36:25 +0000
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Sun, 27 Jul 2025 17:36:25 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id i9ikCodjhmjXfwAAmSBk0A
	(envelope-from <mark@hindley.org.uk>)
	for <bugs@devuan.org>; Sun, 27 Jul 2025 17:36:07 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id E886F4A8; Sun, 27 Jul 2025 17:36:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; envelope-from=mark@hindley.org.uk; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id 75ADB1D
	for <891@bugs.devuan.org>; Sun, 27 Jul 2025 17:36:05 +0000 (UTC)
Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3])
	by mx.hindley.org.uk (Postfix) with SMTP id 6BAE9BE;
	Sun, 27 Jul 2025 18:36:03 +0100 (BST)
Received: (nullmailer pid 11445 invoked by uid 1000);
	Sun, 27 Jul 2025 17:36:03 -0000
Date: Sun, 27 Jul 2025 18:36:03 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: 891@bugs.devuan.org
Cc: Martin <Martin@lichtvoll.de>
Message-ID: <aIZjg5m5_UHOAyh0@hindley.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aD3LbBatRfW-nivX@hindley.org.uk>
X-UID: 497

On Mon, Jun 02, 2025 at 05:03:56PM +0100, Mark Hindley wrote:
> > Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
> > usr/bin/sqv returned an error code (1), error message is:
> >    Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
> >               No binding signature at time 2025-05-25T14:45:30Z
> >      because: Policy rejected non-revocation signature 
> > (PositiveCertification) requiring second pre-image resistance
> >      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

So, the SHA1 541922FB key is used: by

 - all current /devuan suites, but the sqv failure looks only to be relevant for
   freia, ceres and experimental

 - daedalus and ceres for /merged, but only ceres is relevant

My suggestion to manage this is to change the 4 affected suites to be signed by

pub   rsa4096 2017-09-04 [SC]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid                      Devuan Repository (Amprolla3 on Nemesis) <repository@devuan.org>
sub   rsa4096 2017-09-04 [E]

which is already in the distributed keyring.

It isn't perfect, but is the best I can imagine. Does anybody have any
improvements? What have I missed?

Mark

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Aug 8 02:10:53 2025;