Hello, On Mon, Mar 17, 2025 at 03:37:57PM +0530, Ritesh Raj Sarraf wrote: > Control: tag -1 +pending > > On Mon, 2025-03-03 at 14:59 +0530, Ritesh Raj Sarraf wrote: > > On Wed, 2025-02-26 at 16:47 +0100, Chris Hofstaedtler wrote: > > > > I personally wouldn't prefer this route. For consistency with > > > > bpfcc, it > > > > could have been with the same naming scheme. On the other hand, > > > > if > > > > 2 > > > > packages can be made to co-exist, I'd not prefer to impose such a > > > > limitation. > > > > > > Is there anything blocking any of the proposed solutions? > > > > > > The policy change has landed in the meantime. > > > > I'll try put this on the list of items to attempt this weekend. I > > hope > > somebody else beats me to it. > > > > I've managed to prepare a fix for this issue. But am having some issues > with the upload. > > Possibly, something recent with how keys are managed. > > @ dupload bpfcc_0.31.0+ds-5_source.changes > dupload note: no announcement will be sent. > Checking OpenPGP signatures on bpfcc_0.31.0+ds-5_source.changes... > Using keyring: /usr/share/keyrings/debian-keyring.gpg > Using keyring: /usr/share/keyrings/debian-nonupload.gpg > Using keyring: /usr/share/keyrings/debian-maintainers.gpg > Signing key on 43DEF582F9E67111CE008917F2F11C23F00A2BE6 is not bound: > Error: Policy rejected non-revocation signature (SubkeyBinding) requiring > second pre-image resistance > because: SHA1 is not considered secure since 2023-02-01T00:00:00Z > 0 authenticated signatures, 1 bad key. > Error: Verification failed: could not authenticate any signatures > openpgp-check: error: cannot verify OpenPGP signature for > bpfcc_0.31.0+ds-5_source.changes: no acceptable signature found > dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for > bpfcc_0.31.0+ds-5_source.changes
The issue is that SHA-1 is considered insecure since ~ 20 years. The best option going forward for you is: Repair your key. You can follow https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/T/#u . The TL;DR; is: Install sq/testing and do: sq cert lint --fix --output - --cert $yourkeyfingerprint | gpg --import . (But of course you better read the details instead of believing someone you don't know about what to do to your key material :-) Best regards Uwe
signature.asc
Description: PGP signature
