Your message dated Mon, 02 Feb 2026 22:27:34 +0000
with message-id <[email protected]>
and subject line Bug#1126793: fixed in dgit 14.7
has caused the Debian Bug report #1126793,
regarding dgit: autopkgtest regression: SHA1 is not considered secure since
2026-02-01T00:00:00Z
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126793
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dgit
Version: 14.5
Severity: important
User: [email protected]
Usertags: regression
I noticed that the package tracker page for autopkgtest is reporting
autopkgtest regressions for src:dgit. Looking at the log (and the
architectures like i386 that report it as a non-regression), this seems
to be a time-based regression that will happen on any test run after
2026-02-01, rather than something broken by an autopkgtest change:
>331s + apt-get -c
>'/tmp/autopkgtest-lxc.l1llofk2/downtmp/autopkgtest_tmp/.cache/dgit/aptget/apt.conf#test-dummy'
> update
>331s Get:1 file:/tmp/autopkgtest-lxc.l1llofk2/downtmp/autopkgtest_tmp/mirror
>unstable InRelease [2073 B]
>331s Get:1 file:/tmp/autopkgtest-lxc.l1llofk2/downtmp/autopkgtest_tmp/mirror
>unstable InRelease [2073 B]
>331s Err:1 file:/tmp/autopkgtest-lxc.l1llofk2/downtmp/autopkgtest_tmp/mirror
>unstable InRelease
>331s Sub-process /usr/bin/sqv returned an error code (1), error message is:
>Signing key on 3B0F3FB8ADEFAEF81E0D0C5C14A868BFAC3BD039 is not bound:
> No binding signature at time 2026-02-01T05:20:16Z because: Policy rejected
>non-revocation signature (PositiveCertification) requiring second pre-image
>resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Perhaps the test keys in src/tests/tstunt/gpg, which seem to have been
generated in 2013/2014, need to be regenerated with a SHA256
self-signature or replaced with new keys so that apt will still consider
them to be sufficiently strong? Or perhaps the signing key is somewhere
else, I'm not familiar with this test suite.
See the apt (2.9.19) debian/NEWS entry for more details. It might be
possible to override this with a suitable value for
$APT_SEQUOIA_CRYPTO_POLICY, but regenerating the test keys (or at least
updating their self-signatures) is probably easier.
Based on my experiences with updating third-party apt repositories, the
easiest way to force a new self-signature seems to be to ask a
current-ish version of gpg to change the expiry date with --edit-key and
the "expire" command. I believe it's sufficient to set an infinitely
long expiry date (even if that matches the current expiry date) which
has the side-effect of issuing a new self-signature using the new
default signature algorithm, which should be SHA256 or possibly SHA512.
smcv
--- End Message ---
--- Begin Message ---
Source: dgit
Source-Version: 14.7
Done: Ian Jackson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Jackson <[email protected]> (supplier of updated dgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Feb 2026 20:16:08 +0000
Source: dgit
Architecture: source
Version: 14.7
Distribution: unstable
Urgency: medium
Maintainer: Debian tag2upload Delegates <[email protected]>
Changed-By: Ian Jackson <[email protected]>
Closes: 1126793
Changes:
dgit (14.7) unstable; urgency=medium
.
tag2upload development:
* tag2upload-oracled: Provide complete error message when reboot lock held.
.
Fixes for gnupg/sqv incompatibilities in tests:
* Update key self-cert hashes to fix test failure complaining about SHA1.
Closes: #1126793. [Report and suggestion from Simon McVittie]
* Migrate to new gnupg secret key format for in-tree keys.
* Revert attempted use of SEQUOIA_CRYPTO_POLICY (which is broken).
Checksums-Sha1:
bd8ef1e0d671a3c4567d6f81978096b5a7ad940c 2517 dgit_14.7.dsc
ef61940116da6792c2bb1f66e2e54fa7ac7c6f4a 1013164 dgit_14.7.tar.gz
6e88f0378502381f0464a8063b1ebcdf9ad79d1e 1311892 dgit_14.7.git.tar.xz
e735d468ffbf6cd13d01ba055a1509e04c52aef6 17270 dgit_14.7_source.buildinfo
Checksums-Sha256:
54a0f4960036db4b5b830144789d40ee6469eb0e65ad4940842f3eb823ec0a81 2517
dgit_14.7.dsc
cdba3f26f29a53a34aa6a16c09b308f79250f375ff4f893473bbcf75e4c7f215 1013164
dgit_14.7.tar.gz
75c4c819240150de69c60aa7422388c841051e396c9f73ac9c670724b15ae5bb 1311892
dgit_14.7.git.tar.xz
4d16d5f7dacab0d4dd4acb55b9c3c15e4b746ff99dd1ad7d06aec0f6cb31631d 17270
dgit_14.7_source.buildinfo
Files:
acb8efe4520cb7ff093c97c983d4f486 2517 devel optional dgit_14.7.dsc
c234af10b37e563da31f5e68713f06d7 1013164 devel optional dgit_14.7.tar.gz
a5d5398ddcb83db623021030966f818b 1311892 devel optional dgit_14.7.git.tar.xz
2909eec1f8cbcc4c6d03a6021b5935f9 17270 devel optional
dgit_14.7_source.buildinfo
Git-Tag-Info: tag=dbffdfbb1535acdb35ce2216b9001c6cb012b40a
fp=41638114d132883b25a20ddd47515757d8002456
Git-Tag-Tagger: Ian Jackson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmBELIACgkQYG0ITkaD
wHlERQ/+NASyiuYWljPIWPbUbSmGSrNexjmbTxp3epZqEBsBAZcNUCLH2aYwjsS2
WjKMe1mLHtJ9EEI5SINi/ZmpN3baloXpO9+yjdooyk+iz16AKqTwVB39ka+Ixban
nuAznjtRAx+xqjaIbSyi1RS2epERn82U0LPKnkD+C1iRBcNMszHrPnNQ1bTqdfsU
Zq0bSXNRrqk4oqlV3C/agxSrSsSedssllmhI19l0OurAHyMufQt9osHFqiOvlb1D
frTCL5fy1OFNjpqs6HvQEDzkFZHWTeGLXgzABnsnA5zpMotaaupj+csHZrmmKKZm
1lXiQtAwhH2gan0VHewFJNBBfVJzb+FRntfpdqu1Jg0CKTx4AapaYH6TlenUEFZK
79iHLblURC8WC3O10FPdnWan6nfduL1aZeZ3tNP8Um/5RYVbO+sSzRdr9v4DPv4k
CyjPXLPtZ9ARrM8DvCPpsgEBMXmOCjJQbbkAaVL9WV8/rIWgWSUX4TJx8wDjj1H0
fxJxegPzPhDan8ZdP19l9+Mxziiu/GzwdaFyyMmQAHBd3Ln47yUnlgtYzZ2dB9fJ
aOMDXYDD6cEE+XP4JnjRNpOCyTLqn5LQ9N5vQuIwzLS37nDObvruUSm78C3AIcnB
iYBntXedcTUip9Utd1/GBi06/9SfE5w30rLzWKsSsFOyMvjy2aU=
=Zvaz
-----END PGP SIGNATURE-----
pgpF5GQUAHKUZ.pgp
Description: PGP signature
--- End Message ---
