Martin,

Thanks for this.


On Mon, May 26, 2025 at 05:15:50PM +0200, Martin wrote:
> Package: devuan-keyring
> Version: 2023.10.07
> Severity: normal
> X-Debbugs-Cc: Martin@???
>
> Dear Mark, dear Devuan development team.
>
> In Devuan Ceres I keep getting a warning about policy rejecting signature
> within a year which I got explained by Apt by using "--audit":
>

> % LANG=C apt update --audit
> Hit:1 http://deb.devuan.org/merged ceres InRelease
> All packages are up to date.    
> Warning: http://deb.devuan.org/merged/dists/ceres/InRelease: Policy will 
> reject signature within a year, see --audit for details
> Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
> usr/bin/sqv returned an error code (1), error message is:
>    Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
>               No binding signature at time 2025-05-25T14:45:30Z
>      because: Policy rejected non-revocation signature 
> (PositiveCertification) requiring second pre-image resistance
>      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

This looks as if sqv (the new rust-based key verifier) is going to be more picky
about SHA1.

At the moment, I think ceres and all of the unmerged repos
(pkgmaster.devuan.org/devuan) use a SHA1 key.

Generating and using a new key is not too problematic, but getting it
distributed is more so. You end up in a chicken and egg cycle with the new key
being used but apt refusing to update the devuan-keyring package because it
can't verify the key.

Does anybody have a good idea how to resolve that? We will have lots of unhappy
users if they can no longer apt update|upgrade|install.

Mark