Johannes Schauer Marin Rodrigues <jo...@debian.org> writes: >> APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
>> requires repositories >> to be signed using one of >> >> - RSA keys of at least 2048 bit >> - Ed25519 >> - Ed448 >> >> Any other keys will cause warnings. These warnings will become >> errors in March > I talked to David in #debian-devel and had a look at apt commit 50e3fee26a. > This change requires a version of gpgv with support for the > --assert-pubkey-algo commandline argument. The version of gnupg2 in unstable > or > experimental does not include this, so it seems we cannot currently test this > in Debian. > > Furthermore, if you really need support for repositories with fewer RSA bits > even after a new version of gnupg2 lands in Debian, you can change the apt > configuration APT::Key::Assert-Pubkey-Algo which has a default value of > ">=rsa2048,ed25519,ed448" to something else or set it to the empty string > to entirely disable this functionality. > > Maybe this helps someone. It does - but also makes me wonder: is this going to affect Debian users with 3rd party repositories when they upgrade to trixie? (or is that not yet known?) (release-notes do say to remove all 3rd party packages before upgrades but i suspect that is ignored: helpful to provide a heads-up anyway) Seems like a candidate for the release-notes: - happy to help draft, but would need some information:. - Does this affect 'official' debian repostitories? (i assume not) - Does this affect local repositories built with reprepro or other tools in debian? - If i am using 3rd party/local (reprepro etc) repositories with "old" signatures, will they stop working (assume a dist upgrade to trixie with new enough apt, gpg etc) - How will this affect upgrades: will apt error out or just keep packages back? - how would a user with 3rd party repos check if they are affected? (is there a command/file to check that shows the algorithm used for each repository enabled?) - how to disable this feature? I assume: if you need to re-enable a 3rd party repo with an older signature algorithm, you will need to add a file in /etc/apt/apt.conf.d/ (or use the -o option to apt) to set APT::Key::Assert-Pubkey-Algo to the algorithm used -- is there a way to say ">=rsa2048,ed25519,ed448 or X" where X is the algorithm needed to allow some repository to continue to be used? can we turn this off for just one un-updated repo and keep the check for everything else? or is the only workaround to set the option to the empty string? or is there a NEWS.Debian for apt we can point to that explains all this?