Debian repo signature uses SHA1 #5125
Description
Expected Behavior
Debian repo works out of the box. I'm using Debian 13.
Current Behavior
Get:9 https://packagecloud.io/sensu/stable/debian trixie InRelease [29.3 kB]
Err:9 https://packagecloud.io/sensu/stable/debian trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CB1605C4E988C91F438249E3A5BC3FB70A3F7426 is not bound: primary key because: No binding signature at time 2025-05-28T10:59:28Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
Warning: OpenPGP signature verification failed: https://packagecloud.io/sensu/stable/debian trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on CB1605C4E988C91F438249E3A5BC3FB70A3F7426 is not bound: primary key because: No binding signature at time 2025-05-28T10:59:28Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
Error: The repository 'https://packagecloud.io/sensu/stable/debian trixie InRelease' is not signed.
Notice: Updating from such a repository can't be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
Possible Solution
Use better signatures.
Steps to Reproduce (for bugs)
-
Add Sensu repo:
# cat /etc/apt/sources.list.d/sensu-stable.sources Components: main X-Repolib-Name: sensu-stable Signed-By: /usr/share/keyrings/sensu-stable.asc Suites: trixie Types: deb deb-src URIs: https://packagecloud.io/sensu/stable/debian/ -
Run
apt update.
Context
Debian addeds SHA256 many-many years ago and fully removed SHA1 in 2020 Release files...
Your Environment
- Installation method (packages, binaries, docker etc.): apt repo
- Operating System and version (e.g. Ubuntu 14.04): Debian 13.