Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy

To: 1088288@bugs.debian.org
Subject: Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy
From: miguel_tete17@hotmail.com
Date: Tue, 22 Jul 2025 13:50:13 +0200
Message-id: <[🔎] DB3PR0202MB3417A9604D078512A72FEF5A895CA@DB3PR0202MB3417.eurprd02.prod.outlook.com>
Reply-to: miguel_tete17@hotmail.com, 1088288@bugs.debian.org
In-reply-to: <c9e7e5530a9f6d8f5644437fb2d3c358172dd5ba.camel@debian.org>
References: <633c6043-30c9-42a7-953b-6d7a71379faa@piquan.org> <c9e7e5530a9f6d8f5644437fb2d3c358172dd5ba.camel@debian.org> <172100112029.2496.16215254570824034966.reportbug@debvirt12.virt.lan>

Hey Chris,

Any updates on your private slack ticket?


On Sat, 15 Feb 2025 22:10:33 +0000 Christopher Obbard
<obbardc@debian.org> wrote:
> Hi Joel,
> 
> 
> On Thu, 23 Jan 2025 23:40:04 -0800 Joel Ray Holveck
<joelh@piquan.org>
> wrote:
> > Slack still cannot be updated.  It gives this error message:
> > 
> >      Get:2
> https://packagecloud.io/slacktechnologies/slack/debian jessie 
> > InRelease [29.1 kB]
> >      Err:2
> https://packagecloud.io/slacktechnologies/slack/debian jessie 
> > InRelease
> >        Sub-process /usr/bin/sqv returned an error code (1), error 
> > message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD
> is 
> > not bound:            primary key   because: No binding signature
at 
> > time 2024-12-17T17:27:20Z   because: Policy rejected non-revocation
> > signature (PositiveCertification) requiring collision resistance 
> > because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
> >      Warning: GPG error: 
> > https://packagecloud.io/slacktechnologies/slack/debian jessie
> InRelease: 
> > Sub-process /usr/bin/sqv returned an error code (1), error message
> is: 
> > Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not
bound:
> >          primary key   because: No binding signature at time 
> > 2024-12-17T17:27:20Z   because: Policy rejected non-revocation
> signature 
> > (PositiveCertification) requiring collision resistance   because:
> SHA1 
> > is not considered secure since 2013-02-01T00:00:00Z
> >      Error: The repository 
> > 'https://packagecloud.io/slacktechnologies/slack/debian jessie 
> > InRelease' is not signed.
> >      Notice: Updating from such a repository can't be done
securely,
> and 
> > is therefore disabled by default.
> >      Notice: See apt-secure(8) manpage for repository creation and
> user 
> > configuration details.
> 
> For what it's worth, I have a (private) open ticket with Slack
> technical support about this issue since 10th Jan and am following-up
> regularly. I will reply here if this is any follow-up.
> 
> 
> Thanks!
> 
> Chris
> 
>

Reply to:

Follow-Ups:
- Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy
  - From: Christopher Obbard <obbardc@gmail.com>

Prev by Date: Bug#1109583: please use SRV records to follow instead of using them as overwrites
Next by Date: Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy
Previous by thread: Bug#1109590: apt show: add 'wrap-and-sort -as' like output
Next by thread: Bug#1088288: gpgv-sq: fails to verify some good sha1 signatures because of default policy
Index(es):
- Date
- Thread