Package: apt Version: 2.9.21 Severity: important The switch to sqv has broken my apt configuration slightly.
I have certain sources that have poorly configured signing ( certain ppa's and the unofficial slack repo ) and hence need to allow weak crypto such as rsa1024 and sha1 collisions. It seems like the switch to sqv ignores any existing sources.list or apt.conf flags such as `allow-weak` or `trusted`. It also seems to be ignoring global options: ``` $ sudo apt update --allow-insecure-repositories ... Hit:15 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease Err:15 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound: primary key because: No binding signature at time 2024-12-17T17:27:20Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z ... Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound: primary key because: No binding signature at time 2024-12-17T17:27:20Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z ... Warning: Failed to fetch https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound: primary key because: No binding signature at time 2024-12-17T17:27:20Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z Warning: Some index files failed to download. They have been ignored, or old ones used instead. ``` This breaks existing setups and prevents packages from being updated from these sources. The only workaround is to set a global apt sqv configuration via APT_SEQUOIA_CRYPTO_POLICY. After investigating options, I'd suggest a way to set an apt.conf option for a specific source to use a hardcoded path as it's sqv policy. I would have the functionality I need in a highly configurable way. Something like: `Acquire::sqv::packagecloud.io::slacktechnologies/slack/debian::jessie::SEQUOIA_CRYPTO_POLICY "/etc/crypto-policies/back-ends/apt-sequoia-insecure.config";` I didn't see any documentation for apt to reflect sqv options as of yet. If I manage to get time I'll take a look at contributing code but thought I'd report as this change will undoubtedly leave many with sources failing to update and will have security implications whether or not the workaround is in place. ``` $ sqv -V sqv 1.2.1 (sequoia-openpgp 1.21.2, using Nettle 3.10 (Cv448: true, OCB: true)) $ uname -r 6.11.2-amd64 ``` -- FRITZ|FRITZ
