1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • apt: WTH is a "second pre-image resistance"?

    From Harald Dunkel@21:1/5 to All on Mon Jun 2 14:40:01 2025
    Hi folks,

    trying Trixie "apt update" shows a warning about my local repo
    (managed by reprepro on Bookworm) I don't know how to handle:

    Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: Policy will reject signature within a year, see --audit for details
    Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
    Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound:
    No binding signature at time 2025-06-02T09:32:30Z
    because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
    because: SHA1 is not considered secure since 2026-02-01T00:00:00Z


    I know that SHA1 is not secure, but what is this resistance error message trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512.
    I also have a revocation key for the signing key.

    ???


    Every helpful comment is highly appreciated

    Harri

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Wooledge@21:1/5 to Harald Dunkel on Mon Jun 2 15:30:01 2025
    On Mon, Jun 02, 2025 at 13:49:05 +0200, Harald Dunkel wrote:
    Hi folks,

    trying Trixie "apt update" shows a warning about my local repo
    (managed by reprepro on Bookworm) I don't know how to handle:

    Warning: http://debian.example.com/debian/dists/trixie-backports/InRelease: Policy will reject signature within a year, see --audit for details
    Audit: http://debian.example.com/debian/dists/trixie-backports/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
    Signing key on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is not bound:
    No binding signature at time 2025-06-02T09:32:30Z
    because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
    because: SHA1 is not considered secure since 2026-02-01T00:00:00Z


    I know that SHA1 is not secure, but what is this resistance error message trying to tell me? InRelease is signed by a RSA4096 key. Digest is SHA512.
    I also have a revocation key for the signing key.

    Well, it just says it's a Warning, and that something will change on
    February 1, 2026. So you should be OK for now.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)