Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy
Hi Joel,
On Thu, 23 Jan 2025 23:40:04 -0800 Joel Ray Holveck <joelh@piquan.org>
wrote:
> Slack still cannot be updated. It gives this error message:
>
> Get:2
https://packagecloud.io/slacktechnologies/slack/debian jessie
> InRelease [29.1 kB]
> Err:2
https://packagecloud.io/slacktechnologies/slack/debian jessie
> InRelease
> Sub-process /usr/bin/sqv returned an error code (1), error
> message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD
is
> not bound: primary key because: No binding signature at
> time 2024-12-17T17:27:20Z because: Policy rejected non-revocation
> signature (PositiveCertification) requiring collision resistance
> because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
> Warning: GPG error:
> https://packagecloud.io/slacktechnologies/slack/debian jessie
InRelease:
> Sub-process /usr/bin/sqv returned an error code (1), error message
is:
> Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound:
> primary key because: No binding signature at time
> 2024-12-17T17:27:20Z because: Policy rejected non-revocation
signature
> (PositiveCertification) requiring collision resistance because:
SHA1
> is not considered secure since 2013-02-01T00:00:00Z
> Error: The repository
> 'https://packagecloud.io/slacktechnologies/slack/debian jessie
> InRelease' is not signed.
> Notice: Updating from such a repository can't be done securely,
and
> is therefore disabled by default.
> Notice: See apt-secure(8) manpage for repository creation and
user
> configuration details.
For what it's worth, I have a (private) open ticket with Slack
technical support about this issue since 10th Jan and am following-up
regularly. I will reply here if this is any follow-up.
Thanks!
Chris
Reply to: