apt: WTH is a "second pre-image resistance"?

To: debian-user@lists.debian.org
Cc: harri@afaics.de
Subject: apt: WTH is a "second pre-image resistance"?
From: Harald Dunkel <harald.dunkel@aixigo.com>
Date: Mon, 02 Jun 2025 13:49:05 +0200
Message-id: <[🔎] uzd7c1u8itq.fsf@dpcl082.ac.aixigo.de>

Hi folks,

trying Trixie "apt update" shows a warning about my local repo
(managed by reprepro on Bookworm) I don't know how to handle:

Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound:
              No binding signature at time 2025-06-02T09:32:30Z
     because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
     

I know that SHA1 is not secure, but what is this resistance error message
trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512.
I also have a revocation key for the signing key.

???


Every helpful comment is highly appreciated

Harri

Reply to:

Follow-Ups:
- Re: apt: WTH is a "second pre-image resistance"?
  - From: Greg Wooledge <greg@wooledge.org>
- Re: apt: WTH is a "second pre-image resistance"?
  - From: Darac Marjal <mailinglist@darac.org.uk>

Prev by Date: Re: is it possible to use debian with mini PC when display is not connected to hdmi
Next by Date: Re: is it possible to use debian with mini PC when display is not connected to hdmi
Previous by thread: Re: aptitude configuration
Next by thread: Re: apt: WTH is a "second pre-image resistance"?
Index(es):
- Date
- Thread