You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like debsig-verify >=0.24 is rejecting SHA1 signatures.
debsig-verify (0.24) unstable; urgency=medium
* Switch keyring parser from gpg --list-packets to --show-keys --with-colons.
* Use fingerprint and fallback to use long keyIDs for database filenames.
* Reject weak RIPEMD160 and SHA1 algorithms.
and the deb file is signed using a SHA1 digest:
chris ~/dev % debsig-verify -v -d msft-git.deb
[...]
gpg: Signature made Tue 22 Oct 2024 01:20:37 PM PDT
gpg: using RSA key 02A148FB2E0D16E17F4B1E32B8F12E25441124E1
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
debsig: sigVerify: gpg exited abnormally or with non-zero exit status
chris ~/dev % gpg -vv --show-key _gpgorigin
# off=0 ctb=89 tag=2 hlen=3 plen=435
:signature packet: algo 1, keyid B8F12E25441124E1
version 4, created 1729628437, md5len 0, sigclass 0x00
digest algo 2, begin of digest bc e8
a workaround is to allow the weak algo in gnupg: echo "allow-weak-digest-algos" >> /etc/gnupg/gpg.conf but the build signing should be updated by the maintainers.
Snippet from readme doesn't work out of the box:
I came from here:
The text was updated successfully, but these errors were encountered: