[Pkg-rust-maintainers] Bug#1076358: gpgv-sq: fails to verify some good signatures with reason "Bad public key"

[Julian Andres Klode]

Control: clone -1 -2
Control: reassign -2 apt
Control: tag -1 wontfix


On Wed, Sep 11, 2024 at 07:27:18PM +0200, Paride Legovini wrote:
> control: tags -1 + upstream
> 
> 
> On Wed, 21 Aug 2024 Holger Levsen <holger at layer-acht.org> wrote:
> > On Tue, Jul 30, 2024 at 07:55:51PM +0900, Paride Legovini wrote:
> > > Well, in my case using `gpgv-sq -vv` clarified:
> > > 
> > > gpgv: Signature made Tue Jul 30 07:09:17 2024 +09:00
> > > gpgv:                using RSA key 0AB215679C571D1C8325275B9BDB3D89CE49EC21
> > > gpgv: Can't check signature: Bad public key
> > > Signing key on 0AB215679C571D1C8325275B9BDB3D89CE49EC21 is not bound:
> > > gpgv:   error: No binding signature at time 2024-07-29T22:09:17Z
> > > gpgv: because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
> > > gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
> > > 
> > > so the signature rejected because of the default policy.
> > 
> > So I guess we should tag this bug "upstream" and "wontfix"?
> 
> Hi, I tagged this bug upstream. I still hope it's not a full wontfix, as
> this prevents debootstrapping old Debian and Ubuntu releases, with
> release files signed with older (weaker) keys.

You can override this with a custom security policy:

https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/

[hash_algorithms]
sha1.second_preimage_resistance = 2026-01-01

The next version of APT will include said policy and apply it
by default to give a grace period of about one year, but as
for gpgv-sq, I think the default behavior makes sense.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en