After I upgraded my apt to 3.0.3, “apt update” starts to show:
Warning: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://deb.torproject.org/torproject.org/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Today is 2025-08-12; 2026 is in the future. A typo maybe?
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
Signing Key Insecure?
The Tor team is using at least 3 message-digest algorithms (SHA256, SHA1, MD5), some of them, SHA1 and MD5 are not considered secure.
view-source:https://deb.torproject.org/torproject.org/dists/trixie/InRelease
Package manager APT said “Policy will reject signature within a year, see --audit for details”
I don’t understand this response. The writer said since 2026-02-01T00:00:00Z. Since implies previous to today. My question was “is this a typo?” as in a year previous to today like 2006 or as you say will be in 2026.
Thanks. I updated my “deb.torproject.org-keyring” and this warning disappears.
Sorry, I’m not familiar with apt, file InRelease is not related to this warning, intrigeri’s comments may help
$ gpg -vv path/to/gpg/in/deb.torproject.org-keyring_2024.05.22.tar.xz
gpg: enabled compatibility flags:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
version 4, algo 1, created 1252060267, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: EE8CBC9E886DDD89
# off=272 ctb=b4 tag=13 hlen=2 plen=38
:user ID packet: "deb.torproject.org archive signing key"
# off=312 ctb=89 tag=2 hlen=3 plen=339
:signature packet: algo 1, keyid EE8CBC9E886DDD89
version 4, created 1716368542, md5len 0, sigclass 0x13
digest algo 10, begin of digest 70 5a
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89)
hashed subpkt 2 len 4 (sig created 2024-05-22)
hashed subpkt 9 len 4 (key expires after 18y363d22h31m)
subpkt 16 len 8 (issuer key ID EE8CBC9E886DDD89)
data: [2047 bits]
# off=654 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
version 4, algo 1, created 1252060560, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 74A941BA219EC810
# off=926 ctb=89 tag=2 hlen=3 plen=603
:signature packet: algo 1, keyid EE8CBC9E886DDD89
version 4, created 1716368551, md5len 0, sigclass 0x18
digest algo 10, begin of digest 20 4d
hashed subpkt 27 len 1 (key flags: 02)
hashed subpkt 33 len 21 (issuer fpr v4 A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89)
hashed subpkt 2 len 4 (sig created 2024-05-22)
hashed subpkt 9 len 4 (key expires after 17y8d22h26m)
subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 2)
subpkt 16 len 8 (issuer key ID EE8CBC9E886DDD89)
data: [2047 bits]
gpg: using pgp trust model
gpg: key C36FAF3B57708197: accepted as trusted key
gpg: key AB177F1BB725D37C: accepted as trusted key
pub rsa2048 2009-09-04 [SC] [expires: 2028-08-29]
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
uid deb.torproject.org archive signing key
sig EE8CBC9E886DDD89 2024-05-22 [selfsig]
sub rsa2048 2009-09-04 [S] [expires: 2026-09-09]
sig EE8CBC9E886DDD89 2024-05-22 [keybind]
“class 0x19” means Primary Key Binding Signature ( rfc9580#name-primary-key-binding-signatu ), “digest algo 2” means SHA-1 ( rfc9580#name-hash-algorithms ).
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.