Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #891
devuan-keyring: New signing key needed?

version graph

Package: devuan-keyring; Maintainer for devuan-keyring is Devuan Developers <devuan-dev@lists.dyne.org>; Source for devuan-keyring is src:devuan-keyring.

Reported by: Martin <Martin@lichtvoll.de>

Date: Mon, 26 May 2025 15:18:01 UTC

Severity: normal

Found in version devuan-keyring/2023.10.07

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#891: devuan-keyring: New signing key needed?
Reply-To: Mark Hindley <mark@hindley.org.uk>, 891@bugs.devuan.org
Resent-From: Mark Hindley <mark@hindley.org.uk>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: Devuan Developers <devuan-dev@lists.dyne.org>
X-Loop: owner@bugs.devuan.org
Resent-Date: Mon, 02 Jun 2025 16:06:01 +0000
Resent-Message-ID: <handler.891.B891.174888027224742@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: followup 891
X-Devuan-PR-Package: devuan-keyring
X-Devuan-PR-Keywords: 
References: <12678847.O9o76ZdvQC@lichtvoll.de> <12678847.O9o76ZdvQC@lichtvoll.de>
X-Devuan-PR-Source: devuan-keyring
Received: via spool by 891-submit@bugs.devuan.org id=B891.174888027224742
          (code B ref 891); Mon, 02 Jun 2025 16:06:01 +0000
Received: (at 891) by bugs.devuan.org; 2 Jun 2025 16:04:32 +0000
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 02 Jun 2025 16:04:32 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id RdikD3DLPWiiVAAAmSBk0A
	(envelope-from <mark@hindley.org.uk>)
	for <bugs@devuan.org>; Mon, 02 Jun 2025 16:04:00 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 2538B99; Mon,  2 Jun 2025 16:04:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=RCVD_IN_VALIDITY_CERTIFIED,
	RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,RDNS_DYNAMIC,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; envelope-from=mark@hindley.org.uk; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id 142DB41
	for <891@bugs.devuan.org>; Mon,  2 Jun 2025 16:03:57 +0000 (UTC)
Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3])
	by mx.hindley.org.uk (Postfix) with SMTP id B76EFBF;
	Mon,  2 Jun 2025 17:03:56 +0100 (BST)
Received: (nullmailer pid 30205 invoked by uid 1000);
	Mon, 02 Jun 2025 16:03:56 -0000
Date: Mon, 2 Jun 2025 17:03:56 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Martin <Martin@lichtvoll.de>, 891@bugs.devuan.org
Message-ID: <aD3LbBatRfW-nivX@hindley.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <12678847.O9o76ZdvQC@lichtvoll.de>

Martin,

Thanks for this.


On Mon, May 26, 2025 at 05:15:50PM +0200, Martin wrote:
> Package: devuan-keyring
> Version: 2023.10.07
> Severity: normal
> X-Debbugs-Cc: Martin@Lichtvoll.de
> 
> Dear Mark, dear Devuan development team.
> 
> In Devuan Ceres I keep getting a warning about policy rejecting signature
> within a year which I got explained by Apt by using "--audit":
> 
> % LANG=C apt update --audit
> Hit:1 http://deb.devuan.org/merged ceres InRelease
> All packages are up to date.    
> Warning: http://deb.devuan.org/merged/dists/ceres/InRelease: Policy will 
> reject signature within a year, see --audit for details
> Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
> usr/bin/sqv returned an error code (1), error message is:
>    Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
>               No binding signature at time 2025-05-25T14:45:30Z
>      because: Policy rejected non-revocation signature 
> (PositiveCertification) requiring second pre-image resistance
>      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

This looks as if sqv (the new rust-based key verifier) is going to be more picky
about SHA1.

At the moment, I think ceres and all of the unmerged repos
(pkgmaster.devuan.org/devuan) use a SHA1 key.

Generating and using a new key is not too problematic, but getting it
distributed is more so. You end up in a chicken and egg cycle with the new key
being used but apt refusing to update the devuan-keyring package because it
can't verify the key.

Does anybody have a good idea how to resolve that? We will have lots of unhappy
users if they can no longer apt update|upgrade|install.

Mark

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Jun 5 17:06:17 2025;