[Pkg-rust-maintainers] Bug#1076358: gpgv-sq: fails to verify some good signatures with reason "Bad public key"
Paride Legovini
paride at debian.org
Wed Sep 11 18:27:18 BST 2024
control: tags -1 + upstream
On Wed, 21 Aug 2024 Holger Levsen <holger at layer-acht.org> wrote:
> On Tue, Jul 30, 2024 at 07:55:51PM +0900, Paride Legovini wrote:
> > Well, in my case using `gpgv-sq -vv` clarified:
> >
> > gpgv: Signature made Tue Jul 30 07:09:17 2024 +09:00
> > gpgv: using RSA key 0AB215679C571D1C8325275B9BDB3D89CE49EC21
> > gpgv: Can't check signature: Bad public key
> > Signing key on 0AB215679C571D1C8325275B9BDB3D89CE49EC21 is not bound:
> > gpgv: error: No binding signature at time 2024-07-29T22:09:17Z
> > gpgv: because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
> > gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
> >
> > so the signature rejected because of the default policy.
>
> So I guess we should tag this bug "upstream" and "wontfix"?
Hi, I tagged this bug upstream. I still hope it's not a full wontfix, as
this prevents debootstrapping old Debian and Ubuntu releases, with
release files signed with older (weaker) keys.
--
Paride
More information about the Pkg-rust-maintainers
mailing list