Debian apt-get policy will reject signature within a year

[adubourg]

Hi,

I just had a warning from `apt-get update` while updating my Debian system:

W: http://www.bchemnet.com/suldr/dists/debian/InRelease: Policy will reject signature within a year, see --audit for details
A: http://www.bchemnet.com/suldr/dists/debian/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on 230890002EDEE9679DE6FC73FB510D557CC3E840 is not bound:
              No binding signature at time 2023-10-09T03:00:11Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

:(

-- Alex

[bchemnet]

Thanks for the alert.  Apparently the key was one caught in a long-standing bug that is now being exposed as Debian changes over their default GPG tool.  I have added a new key that does not trigger the warning.  You may still see the warning for the existing key until I remove it, but I will allow a few months before doing so to give repository users time to update to the new keyring package.

[adubourg]

Thanks for the quick response!
But is it really necessary to leave the old key, since repository users will automatically update to the new keyring package by merely using the repository?

[EDIT] I've tried removing the old key from '/etc/apt/trusted.gpg.d/suldr-keyring.gpg', so that now it only contains

pub   ed25519 2025-05-09 [SC] [expires: 2035-05-07]
      31712967E9DA399C42BED2F5A890B7701F3014B7
uid                      bchemnet <suldr@bchemnet.com>
sub   cv25519 2025-05-09 [E] [expires: 2035-05-07]

but I still have the same warning from `apt-get update`... However, it might just be because I don't really know what I'm doing with GPG >_<'

-- Alex

[bchemnet]

Thanks for the quick response!
But is it really necessary to leave the old key, since repository users will automatically update to the new keyring package by merely using the repository?

Yes, the old key has to remain for a while.  The key is used to sign the information about available packages, which is read before updates happen.  If the existing key on someone's system does not match the signature, the update to the new key will not be allowed automatically.  So I have to temporarily sign the package list with both keys, so that everyone can update without having to manually install the new key.  And many people do not run updates every day, so it can take a while before the large majority of users have installed the new key.

The reason revoking the old key does not help is that the warning is not actually about the key.  It is a warning about the signature in the package file, which still refers to the old key whether or not the key is trusted by your system.  I am not familiar enough with Sequioa (the new PGP system replacing GPG in Debian) to know if there is a way to suppress the warning during this transition.  If the package sqv is not installed (and gpg still is), there is no warning, although that is not an elegant solution or consistent with the direction Debian is moving in.

[bchemnet]

Another solution for anyone encountering this and wanting to prevent the warnings: disable this repository except when you are actively using it.  Given that the binary files are unlikely to ever change again, there really is no need to regularly check for updates after setting up working drivers, except possibly around the major updates of your Linux distro.  For context, there has not been an update to most driver packages in over 4 years, and it is entirely possible that there will never be another major change to most of them.