Re: apt: WTH is a "second pre-image resistance"?

To: debian-user@lists.debian.org
Subject: Re: apt: WTH is a "second pre-image resistance"?
From: Greg Wooledge <greg@wooledge.org>
Date: Mon, 2 Jun 2025 09:26:50 -0400
Message-id: <[🔎] 20250602132650.GB8616@wooledge.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] uzd7c1u8itq.fsf@dpcl082.ac.aixigo.de>
References: <[🔎] uzd7c1u8itq.fsf@dpcl082.ac.aixigo.de>

On Mon, Jun 02, 2025 at 13:49:05 +0200, Harald Dunkel wrote:
> Hi folks,
> 
> trying Trixie "apt update" shows a warning about my local repo
> (managed by reprepro on Bookworm) I don't know how to handle:
> 
> Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: Policy will reject signature within a year, see --audit for details
> Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
>    Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound:
>               No binding signature at time 2025-06-02T09:32:30Z
>      because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
>      because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
>      
> 
> I know that SHA1 is not secure, but what is this resistance error message
> trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512.
> I also have a revocation key for the signing key.

Well, it just says it's a Warning, and that something will change on
February 1, 2026.  So you should be OK for now.

Reply to:

References:
- apt: WTH is a "second pre-image resistance"?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: Re: parallel gnu and parallel from moreutils
Next by Date: Re: is it possible to use debian with mini PC when display is not connected to hdmi
Previous by thread: apt: WTH is a "second pre-image resistance"?
Next by thread: Re: apt: WTH is a "second pre-image resistance"?
Index(es):
- Date
- Thread