Debian repo signature uses SHA1

[morsik]

Expected Behavior

Debian repo works out of the box. I'm using Debian 13.

Current Behavior

Get:9 https://packagecloud.io/sensu/stable/debian trixie InRelease [29.3 kB]
Err:9 https://packagecloud.io/sensu/stable/debian trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CB1605C4E988C91F438249E3A5BC3FB70A3F7426 is not bound:            primary key   because: No binding signature at time 2025-05-28T10:59:28Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance   because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: https://packagecloud.io/sensu/stable/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CB1605C4E988C91F438249E3A5BC3FB70A3F7426 is not bound:            primary key   because: No binding signature at time 2025-05-28T10:59:28Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance   because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
Error: The repository 'https://packagecloud.io/sensu/stable/debian trixie InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.

Possible Solution

Use better signatures.

Steps to Reproduce (for bugs)

1. Add Sensu repo:

   # cat /etc/apt/sources.list.d/sensu-stable.sources
   Components: main
   X-Repolib-Name: sensu-stable
   Signed-By: /usr/share/keyrings/sensu-stable.asc
   Suites: trixie
   Types: deb deb-src
   URIs: https://packagecloud.io/sensu/stable/debian/
   

2. Run apt update.

Context

Debian addeds SHA256 many-many years ago and fully removed SHA1 in 2020 Release files...

Your Environment

• Installation method (packages, binaries, docker etc.): apt repo
• Operating System and version (e.g. Ubuntu 14.04): Debian 13.

[WilliamDEdwards]

Running into this as well.

[donnex]

Same. Really annoying.

[WilliamDEdwards]

Same. Really annoying.

Sensu Go is abandonware unfortunately.

[morsik]

@WilliamDEdwards yeah, I've had that feeling but I decided to write Issue anyway...

[WilliamDEdwards]

@jhenderson-pro Can you look at this? It's currently not possible to use Sensu on Trixie without using the wrong repo.

[jhenderson-pro]

Sure thing. We'll take a look and do some testing on Monday when we return to work.

@nasirhussenm
@chavakula

FYI

[WilliamDEdwards]

Thanks! Merry Christmas!

[jhenderson-pro]

Quick Update:

We are reaching out to Packagecloud to see about regenerating the repository signing key to resolve this issue.

[chavakula]

@morsik @WilliamDEdwards
Issue is fixed now, packagecloud has updated SHA1 to SHA512, remove the downloaded gpg key (with name like 'sensu_stable') in /etc/apt/keyrings, and re-download the updated keys. It should work now!