Ian Jackson writes ("Bug#1126793: dgit: autopkgtest regression: SHA1 is not
considered secure since 2026-02-01T00:00:00Z [and 1 more messages]"):
...
> > Simon McVittie writes ("Bug#1126793: dgit: autopkgtest regression: SHA1 is
> > not considered secure since 2026-02-01T00:00:00Z"):
> > > See the apt (2.9.19) debian/NEWS entry for more details. It might be
> > > possible to override this with a suitable value for
> > > $APT_SEQUOIA_CRYPTO_POLICY, but regenerating the test keys (or at least
> > > updating their self-signatures) is probably easier.
...
> In fact I am going to do this *right now* because this terrible
> decision to have a time-based deprecation is suddenly blocking my
> work.
It turns out that the policy override mechanism is broken.
Attempting to use it like this
+cat <<'END' >>$tmp/.sequoia-crypto-policy
+[hash_algorithms]
+sha1 = "always"
+END
+export SEQUOIA_CRYPTO_POLICY=$tmp/.sequoia-crypto-policy
results in this
W: OpenPGP signature verification failed:
file:/tmp/autopkgtest.XEAQrW/autopkgtest_tmp/mirror unstable
InRelease: Sub-process /usr/bin/sqv returned an error code (1),
error message is: Error: Parsing
"/tmp/autopkgtest.XEAQrW/autopkgtest_tmp/.sequoia-crypto-policy"
Caused by: redefinition of table `hash_algorithms` for key
`hash_algorithms` at line 3 column 1
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
