[Pkg-rust-maintainers] Bug#1076358: gpgv-sq: fails to verify some good signatures with reason "Bad public key"
Holger Levsen
holger at layer-acht.org
Wed Aug 21 13:48:35 BST 2024
control: retitle -1 gpgv-sq: fails to verify some good sha1 signatures because of default policy
thanks
hi,
thanks for the bug report and clarifications!
On Tue, Jul 30, 2024 at 07:55:51PM +0900, Paride Legovini wrote:
> Well, in my case using `gpgv-sq -vv` clarified:
>
> gpgv: Signature made Tue Jul 30 07:09:17 2024 +09:00
> gpgv: using RSA key 0AB215679C571D1C8325275B9BDB3D89CE49EC21
> gpgv: Can't check signature: Bad public key
> Signing key on 0AB215679C571D1C8325275B9BDB3D89CE49EC21 is not bound:
> gpgv: error: No binding signature at time 2024-07-29T22:09:17Z
> gpgv: because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
> gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
>
> so the signature rejected because of the default policy.
So I guess we should tag this bug "upstream" and "wontfix"?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Homelessness exists not because the housing systemn is not working, but because
this is the way it works. - Peter Marcuse.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20240821/0da8bb99/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list