On Sun, Jul 27, 2025 at 06:36:03PM +0100, Mark Hindley wrote:
> On Mon, Jun 02, 2025 at 05:03:56PM +0100, Mark Hindley wrote:
> > > Audit: http://deb.devuan.org/merged/dists/ceres/InRelease: Sub-process /
> > > usr/bin/sqv returned an error code (1), error message is:
> > > Signing key on 72E3CB773315DFA2E464743D94532124541922FB is not bound:
> > > No binding signature at time 2025-05-25T14:45:30Z
> > > because: Policy rejected non-revocation signature
> > > (PositiveCertification) requiring second pre-image resistance
> > > because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
>
> So, the SHA1 541922FB key is used: by
>
> - all current /devuan suites, but the sqv failure looks only to be relevant for
> freia, ceres and experimental
>
> - daedalus and ceres for /merged, but only ceres is relevant
>
> My suggestion to manage this is to change the 4 affected suites to be signed by
>
> pub rsa4096 2017-09-04 [SC]
> E032601B7CA10BC3EA53FA81BB23C00C61FC752C
> uid Devuan Repository (Amprolla3 on Nemesis) <repository@???>
> sub rsa4096 2017-09-04 [E]
>
> which is already in the distributed keyring.
>
> It isn't perfect, but is the best I can imagine. Does anybody have any
> improvements? What have I missed?
How is the transition to be managed?
Presumably the key mechanism used when updating, say, a daedalus system will
have to be updated before downloading packaage updates that rely on the
new mechanism.
-- hendrik
::
Re: [devuan-dev] bug#891: devuan-ke…
