On Mon, Jun 02, 2025 at 05:03:56PM +0100, Mark Hindley wrote:

> > Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
> > usr/bin/sqv returned an error code (1), error message is:
> >    Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
> >               No binding signature at time 2025-05-25T14:45:30Z
> >      because: Policy rejected non-revocation signature 
> > (PositiveCertification) requiring second pre-image resistance
> >      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

So, the SHA1 541922FB key is used: by

- all current /devuan suites, but the sqv failure looks only to be relevant for
freia, ceres and experimental

- daedalus and ceres for /merged, but only ceres is relevant

My suggestion to manage this is to change the 4 affected suites to be signed by

pub   rsa4096 2017-09-04 [SC]
      E032601B7CA10BC3EA53FA81BB23C00C61FC752C
uid                      Devuan Repository (Amprolla3 on Nemesis) <repository@???>
sub   rsa4096 2017-09-04 [E]

which is already in the distributed keyring.

It isn't perfect, but is the best I can imagine. Does anybody have any
improvements? What have I missed?

Mark