On Sun, Feb 01, 2026 at 02:55:31PM +0000, Simon McVittie wrote: > Perhaps the test keys in src/tests/tstunt/gpg, which seem to have been > generated in 2013/2014, need to be regenerated with a SHA256 > self-signature or replaced with new keys so that apt will still consider > them to be sufficiently strong? Or perhaps the signing key is somewhere > else, I'm not familiar with this test suite.
If the keys are not actually relevant to the test (they probably can't be secure) maybe it'd be better if the test generates new keys, or just used `Trusted: yes` in the APT sources. Testing APT's signature verification doesn't seem particularly useful in src:dgit? Chris
