Package: release-notes
Severity: normal
X-Debbugs-Cc: j...@debian.org
APT in trixie has the following cut-offs for OpenPGP key algorithms:
2026-02-01
- Keys with SHA-1 self-signatures. These need to be resigned, that
is, change the expiry to the same value as before, for example.
- SHA224 signatures
- v3 signature packets, as used by Open Build Service
2028-02-01
- Brainpool Curves
2030-02-01
- RSA keys with fewer than 3072 bits
APT will issue warnings 1 year ahead of the cut-off dates.
Other keys have been cut-off in the past, such as RSA below
2048 bit, DSA keys.
The policy can be adjusted following the hint in
/etc/crypto-policies/back-ends/apt-sequoia.config
But we may want to introduce a tiny feature in a stable update
to simply set a fixed policy date (i.e. verify keys using the
policy as of 2025-08-01 to keep a trixie system with no changes
in behavior).
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
