On Mon, Jun 02, 2025 at 13:49:05 +0200, Harald Dunkel wrote: > Hi folks, > > trying Trixie "apt update" shows a warning about my local repo > (managed by reprepro on Bookworm) I don't know how to handle: > > Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: > Policy will reject signature within a year, see --audit for details > Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: > Sub-process /usr/bin/sqv returned an error code (1), error message is: > Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound: > No binding signature at time 2025-06-02T09:32:30Z > because: Policy rejected non-revocation signature > (PositiveCertification) requiring second pre-image resistance > because: SHA1 is not considered secure since 2026-02-01T00:00:00Z > > > I know that SHA1 is not secure, but what is this resistance error message > trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512. > I also have a revocation key for the signing key.
Well, it just says it's a Warning, and that something will change on February 1, 2026. So you should be OK for now.
