id summary reporter owner description type status priority milestone component version resolution keywords cc 24439 APT-Signature rejected because of SHA1 kimarite team "==== What steps will reproduce the problem? 1. {{{ LANG=C sudo apt-get update [...] Reading package lists... Done W: https://josm.openstreetmap.de/apt/dists/alldist/InRelease: Policy will reject signature within a year, see --audit for details }}} 2. {{{ LANG=C sudo apt update --audit [...] Warning: https://josm.openstreetmap.de/apt/dists/alldist/InRelease: Policy will reject signature within a year, see --audit for details Audit: https://josm.openstreetmap.de/apt/dists/alldist/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 357FA575BC36BFB910E88579130A439C78FC0F87 is not bound: No binding signature at time 2025-08-07T01:31:31Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z }}} 3. {{{ sq inspect /usr/share/keyrings/josm-apt.gpg /usr/share/keyrings/josm-apt.gpg: OpenPGP Certificate. Fingerprint: 357FA575BC36BFB910E88579130A439C78FC0F87 Invalid: No binding signature at time 2025-08-17T12:55:49Z: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure since 2023-02-01T00:00:00Z Public-key algo: RSA Public-key size: 2048 bits Creation time: 2011-12-08 09:19:21 UTC Subkey: 0323C62CED0BE7ADB1E73B2956EC72051CE074AE Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance because: SHA1 is not considered secure since 2023-02-01T00:00:00Z Invalid: primary key: No binding signature at time 2025-08-17T12:55:49Z, because Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure since 2023-02-01T00:00:00Z Public-key algo: RSA Public-key size: 2048 bits Creation time: 2011-12-08 09:19:21 UTC UserID: JOSM developers (key for signing josm deb package repo) Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2023-02-01T00:00:00Z }}} ==== What is the expected result? Fact: Debian 13 with Sequoia-PGP https://wiki.debian.org/DebianRepository/UseThirdParty#OpenPGP_certificate_handling ==== What happens instead? I try „gpg dearmor”, and „sq packet dearmor” and try .list or sources format, the warning does not disappear *.list {{{ deb [signed-by=/usr/share/keyrings/josm-apt.gpg] https://josm.openstreetmap.de/apt/ alldist universe }}} *.sources {{{ URIs: https://josm.openstreetmap.de/apt/ Suites: alldist Architectures: amd64 Components: universe Types: deb Signed-By: /usr/share/keyrings/josm-apt.gpg }}} ==== Please provide any additional information below. Attach a screenshot if possible. [[Image()]] {{{ Relative:URL: ^/trunk Repository:UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b Last:Changed Date: 2025-08-06 23:12:26 +0200 (Wed, 06 Aug 2025) Revision:19434 Build-Date:2025-08-07 01:30:40 URL:https://josm.openstreetmap.de/svn/trunk Identification: JOSM/1.5 (19434 hu) Linux Debian GNU/Linux 13 (trixie) Memory Usage: 216 MB / 1954 MB (88 MB allocated, but free) Java version: 21.0.8+9-Debian-1, Debian, OpenJDK 64-Bit Server VM Look and Feel: javax.swing.plaf.metal.MetalLookAndFeel Screen: :0.0 1280x1024x[Multi depth]@75Hz (scaling 1.00×1.00) Maximum Screen Size: 1280×1024 Best cursor sizes: 16×16→16×16, 32×32→32×32 Environment variable LANG: hu_HU.UTF-8 System property file.encoding: UTF-8 System property sun.jnu.encoding: UTF-8 Locale info: hu_HU Numbers with default locale: 1234567890 -> 1234567890 Desktop environment: MATE Java package: openjdk-21-jre:amd64-21.0.8+9-1 Java ATK Wrapper package: libatk-wrapper-java:all-0.40.0-3 fonts-noto: fonts-noto:all-20201225-2 VM arguments: [--module-path=/usr/share/openjfx/lib, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, -Djosm.restart=true, -Djosm.dir.name=JOSM-latest, -Djava.net.useSystemProxies=true, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED] }}} " defect closed normal 26.01 Ubuntu package latest fixed template_report