Bug#1109665: release-notes: Document APT crypto policies for trixie

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1109665: release-notes: Document APT crypto policies for trixie
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 21 Jul 2025 13:37:41 +0200
Message-id: <[🔎] 20250721133048.GA407844@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 1109665@bugs.debian.org

Package: release-notes
Severity: normal
X-Debbugs-Cc: jak@debian.org

APT in trixie has the following cut-offs for OpenPGP key algorithms:

2026-02-01
    - Keys with SHA-1 self-signatures. These need to be resigned, that
      is, change the expiry to the same value as before, for example.
    - SHA224 signatures
    - v3 signature packets, as used by Open Build Service

2028-02-01

    - Brainpool Curves

2030-02-01

    - RSA keys with fewer than 3072 bits

APT will issue warnings 1 year ahead of the cut-off dates.

Other keys have been cut-off in the past, such as RSA below
2048 bit, DSA keys.

The policy can be adjusted following the hint in

/etc/crypto-policies/back-ends/apt-sequoia.config

But we may want to introduce a tiny feature in a stable update
to simply set a fixed policy date (i.e. verify keys using the
policy as of 2025-08-01 to keep a trixie system with no changes
in behavior).
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

Follow-Ups:
- Bug#1109665: release-notes: Document APT crypto policies for trixie
  - From: Chris Hofstaedtler <zeha@debian.org>

Prev by Date: Bug#1037116: Debian Edu bookworm not ready
Next by Date: Bug#1037116: marked as done (Debian Edu bookworm not ready)
Previous by thread: Bug#1037116: Debian Edu bookworm not ready
Next by thread: Bug#1109665: release-notes: Document APT crypto policies for trixie
Index(es):
- Date
- Thread