Devuan bug report logs - #891
devuan-keyring: New signing key needed?

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#891: devuan-keyring: New signing key needed?
Reply-To: Martin <Martin@lichtvoll.de>, 891@bugs.devuan.org
Resent-From: Martin <Martin@lichtvoll.de>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: martin@lichtvoll.de, Devuan Developers <devuan-dev@lists.dyne.org>
X-Loop: owner@bugs.devuan.org
Resent-Date: Mon, 26 May 2025 15:18:01 +0000
Resent-Message-ID: <handler.891.B.174827259410159@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 891
X-Devuan-PR-Package: devuan-keyring
X-Devuan-PR-Keywords: 
X-Devuan-PR-Source: devuan-keyring
Received: via spool by submit@bugs.devuan.org id=B.174827259410159
          (code B); Mon, 26 May 2025 15:18:01 +0000
Received: (at submit) by bugs.devuan.org; 26 May 2025 15:16:34 +0000
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 26 May 2025 15:16:34 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id R9CvBKqFNGitLAAAmSBk0A
	(envelope-from <Martin@lichtvoll.de>)
	for <bugs@devuan.org>; Mon, 26 May 2025 15:15:54 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id F21A349C; Mon, 26 May 2025 15:15:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a03:4000:6:3074:b8f8:25ff:fe09:25e8; helo=mail.lichtvoll.de; envelope-from=martin@lichtvoll.de; receiver=<UNKNOWN> 
Received: from mail.lichtvoll.de (lichtvoll.de [IPv6:2a03:4000:6:3074:b8f8:25ff:fe09:25e8])
	by email.devuan.org (Postfix) with ESMTPS id 40FF33AD
	for <submit@bugs.devuan.org>; Mon, 26 May 2025 15:15:53 +0000 (UTC)
Received: from 127.0.0.1 (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail.lichtvoll.de (Postfix) with ESMTPSA id 672A0100707
	for <submit@bugs.devuan.org>; Mon, 26 May 2025 15:15:50 +0000 (UTC)
Authentication-Results: mail.lichtvoll.de;
	auth=pass smtp.auth=martin@lichtvoll.de smtp.mailfrom=Martin@lichtvoll.de
From: Martin <Martin@lichtvoll.de>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Date: Mon, 26 May 2025 17:15:50 +0200
Message-ID: <12678847.O9o76ZdvQC@lichtvoll.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"

Package: devuan-keyring
Version: 2023.10.07
Severity: normal
X-Debbugs-Cc: Martin@Lichtvoll.de

Dear Mark, dear Devuan development team.

In Devuan Ceres I keep getting a warning about policy rejecting signature
within a year which I got explained by Apt by using "--audit":

% LANG=C apt update --audit
Hit:1 http://deb.devuan.org/merged ceres InRelease
All packages are up to date.    
Warning: http://deb.devuan.org/merged/dists/ceres/InRelease: Policy will 
reject signature within a year, see --audit for details
Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
usr/bin/sqv returned an error code (1), error message is:
   Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
              No binding signature at time 2025-05-25T14:45:30Z
     because: Policy rejected non-revocation signature 
(PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

So does that mean a new signing key is needed?

Reported a bug as suggested by you, Mark.

However: I have apt 3.1.0 from Debian experimental installed. I tried
downgrading to apt 3.0.0devuan1 as I think this version did not display
above warning and I wanted to verify that. But now I get:

Error: The method driver /usr/lib/apt/methods/sqv could not be found.
Notice: Is the package apt-transport-sqv installed?

This method is not referenced in any of the modernized deb822 sources.

I then removed the package "sgv". Now the output is without any error
message. So it seems this message is related to the switch of Apt to
use Rust based Sequoia GPG instead of the regular GnuPG 2.

Some additional package versions that may matter:

- apt 3.1.0 from Debian experimental
- sqv 1.3.0-2

As written I downgraded to apt 3.0.0devuan1 and removed sqv for now.

I bet once Devuan Apt fork switches to sqv you will see above key related
warning. Which means that Devuan Excalibur should not be affected, however
Devuan Ceres may be.

Best,
Martin

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 6 (excalibur/ceres)
Release:	6
Codename:	excalibur ceres
Architecture: x86_64

Kernel: Linux 6.15.0-rc7-t14g5 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de
Shell: /bin/sh linked to /usr/bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

Versions of packages devuan-keyring depends on:
ii  gpgv  2.4.7-19

Versions of packages devuan-keyring recommends:
ii  gnupg  2.4.7-19

devuan-keyring suggests no packages.

-- Configuration Files:
/etc/apt/trusted.gpg.d/devuan-keyring-2016-archive.gpg [file not found]
/etc/apt/trusted.gpg.d/devuan-keyring-2022-archive.gpg [file not found]
/etc/apt/trusted.gpg.d/devuan-keyring-amprolla-2022-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-daedalus-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-excalibur-archive.gpg [file not 
found]
/etc/apt/trusted.gpg.d/devuan-keyring-freia-archive.gpg [file not found]

-- no debconf information

Send a report that this bug log contains spam.