Devuan bug report logs - #891
devuan-keyring: New signing key needed?

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#891: marked as done (devuan-keyring: New signing key needed?)
Message-ID: <handler.891.D891.175550841416329.ackdone@bugs.devuan.org>
References: <aKLugYbg8fJaNgBi@hindley.org.uk>
 <12678847.O9o76ZdvQC@lichtvoll.de>
X-Devuan-PR-Message: closed 891
X-Devuan-PR-Package: devuan-keyring
X-Devuan-PR-Source: devuan-keyring
Reply-To: 891@bugs.devuan.org
Date: Mon, 18 Aug 2025 09:14:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1755508441-16339-0"

[Message part 1 (text/plain, inline)]

Your message dated Mon, 18 Aug 2025 10:12:33 +0100
with message-id <aKLugYbg8fJaNgBi@hindley.org.uk>
and subject line Re: bug#891: devuan-keyring: New signing key needed?
has caused the Devuan bug report #891,
regarding devuan-keyring: New signing key needed?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
891: https://bugs.devuan.org/cgi/bugreport.cgi?bug=891
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]

From: Martin <Martin@lichtvoll.de>

To: Devuan Bug Tracking System <submit@bugs.devuan.org>

Subject: devuan-keyring: New signing key needed?

Date: Mon, 26 May 2025 17:15:50 +0200

Package: devuan-keyring
Version: 2023.10.07
Severity: normal
X-Debbugs-Cc: Martin@Lichtvoll.de

Dear Mark, dear Devuan development team.

In Devuan Ceres I keep getting a warning about policy rejecting signature
within a year which I got explained by Apt by using "--audit":

% LANG=C apt update --audit
Hit:1 http://deb.devuan.org/merged ceres InRelease
All packages are up to date.    
Warning: http://deb.devuan.org/merged/dists/ceres/InRelease: Policy will 
reject signature within a year, see --audit for details
Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
usr/bin/sqv returned an error code (1), error message is:
   Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
              No binding signature at time 2025-05-25T14:45:30Z
     because: Policy rejected non-revocation signature 
(PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

So does that mean a new signing key is needed?

Reported a bug as suggested by you, Mark.

However: I have apt 3.1.0 from Debian experimental installed. I tried
downgrading to apt 3.0.0devuan1 as I think this version did not display
above warning and I wanted to verify that. But now I get:

Error: The method driver /usr/lib/apt/methods/sqv could not be found.
Notice: Is the package apt-transport-sqv installed?

This method is not referenced in any of the modernized deb822 sources.

I then removed the package "sgv". Now the output is without any error
message. So it seems this message is related to the switch of Apt to
use Rust based Sequoia GPG instead of the regular GnuPG 2.

Some additional package versions that may matter:

- apt 3.1.0 from Debian experimental
- sqv 1.3.0-2

As written I downgraded to apt 3.0.0devuan1 and removed sqv for now.

I bet once Devuan Apt fork switches to sqv you will see above key related
warning. Which means that Devuan Excalibur should not be affected, however
Devuan Ceres may be.

Best,
Martin

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 6 (excalibur/ceres)
Release:	6
Codename:	excalibur ceres
Architecture: x86_64

Kernel: Linux 6.15.0-rc7-t14g5 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de
Shell: /bin/sh linked to /usr/bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

Versions of packages devuan-keyring depends on:
ii  gpgv  2.4.7-19

Versions of packages devuan-keyring recommends:
ii  gnupg  2.4.7-19

devuan-keyring suggests no packages.

-- Configuration Files:
/etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg [file not found]
/etc/apt/trusted.gpg.d/devuan-keyring-2022-archive.gpg [file not found]
/etc/apt/trusted.gpg.d/devuan-keyring-amprolla-2022-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-daedalus-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-excalibur-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-freia-archive.gpg [file not found]

-- no debconf information

[Message part 3 (message/rfc822, inline)]

From: Mark Hindley <mark@hindley.org.uk>

To: Martin <Martin@lichtvoll.de>, 891-done@bugs.devuan.org

Subject: Re: bug#891: devuan-keyring: New signing key needed?

Date: Mon, 18 Aug 2025 10:12:33 +0100

We have reworked the keysigning for ceres. I believe this should be resolved.

Closing.

Mark

Send a report that this bug log contains spam.