On 02/06/2025 12:49, Harald Dunkel wrote:
Hi folks,trying Trixie "apt update" shows a warning about my local repo (managed by reprepro on Bookworm) I don't know how to handle: Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: Policy will reject signature within a year, see --audit for details Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound: No binding signature at time 2025-06-02T09:32:30Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00ZI know that SHA1 is not secure, but what is this resistance error message trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512. I also have a revocation key for the signing key. ???
https://stackoverflow.com/questions/28378326/difference-between-preimage-resistance-and-second-preimage-resistance appears to be a decent primer on the topic.
Pre-Image resistance prevents you finding the original input for a given hash. But DEBs are, generally, publicly available, so we're not really interested in _reversing_ the hash per se.
Second pre-image resistance prevents you finding ANOTHER input which matches the hash.
apt version 3.0.1 lists some of the types which have been deprecated.
Every helpful comment is highly appreciated Harri
OpenPGP_signature.asc
Description: OpenPGP digital signature
