Hi Simon, On Fri, Feb 21, 2025 at 11:27:00PM +0000, Santiago Vila wrote: > During a rebuild of all packages in unstable, your package failed to build: > > <snip> > > verify_test.go:563: Verify failed with error: pkcs7: failed to verify > certificate chain: x509: certificate signed by unknown authority (possibly > because of "x509: cannot verify signature: insecure algorithm SHA1-RSA" while > trying to verify candidate authority certificate "PKCS7 Test Intermediate > Cert") > --- FAIL: TestSignWithOpenSSLAndVerify (0.01s)
I started looking into this issue because it's threatening autoremoval of podman, by virtue of being in its reverse-dependency chain. I don't know anything else about this package, nor have I made any uploads for it. While looking into, I noticed that it's abandonware upstream, started looking around and finally ended up finding your comment at https://github.com/smallstep/pkcs7/issues/45 :) >From there I gather that: a) you are already aware of this issue; b) you've already worked around it for smallstep/pkcs7; c) you're considering replacing fullsailor/pkcs7 with smallstep/pkcs7. Gven all that It feels like perhaps you've intentionally haven't fixed this fullsailor/pkcs7 bug, so I wanted to check with you before working on it. I'd love to hear your thoughts on how to proceed! Thanks, Faidon
