On 26/12/25 at 16:05 -0400, Stefano Rivera wrote: > Hi Lucas (2025.12.26_13:45:33_-0400) > > gpgv: Signature made Thu 05 Sep 2024 01:20:02 AM UTC > > gpgv: using DSA key 3C2C43D9447D5938EF4551EBE23B7E70B467F0BF > > I would assume this is the issue, a 1k DSA signature. > > The spec says: > > The signature (and any dependent signature, such as the cross-sig or > > subkey binding signatures) must be made with strong cryptographic > > algorithms (e.g., not MD5 or a 1024-bit RSA key) > > And from what I can see Sequoia's standard policy rejects keys shorter than > 2k for messages created later than 2014.
I wonder if this is really what we want for uscan. Debian can impose a policy on Debian developers' keys, but this is about upstream developers' keys: isn't a weak key/signature better than no signature at all? Lucas
