Sequoia quebra os repositórios apt. Como corrigir isso.

For the English version go to: https://www.adilson.net.br/2024/12/sequoia-breaks-apt-repos-how-to-fix-it.html

Depois de muito tempo sem atualizar o blog, vou escrever sobre algo bem recente que aconteceu em alguns dos meus sistemas aqui.

Para quem não sabe, normalmente uso Debian Sid nos desktops e notebooks com várias personalizações e repositórios de terceiros.

E, na semana do Natal, alguns desenvolvedores entregaram um presente para o próprio APT, de acordo com o último changelog.

apt (2.9.19) unstable; urgency=medium

  * Replace GnuTLS and gcrypt with OpenSSL

  * Replace GnuPG with Sequoia on supported Debian platforms

    - methods: Add new sqv method

    - debian: Add default policy to allow SHA-1 self-signatures until 2026

    - debian: Plug sqv into the package build

  * Smaller bits:

    - apt-helper: Add a hash-file helper to debug file hashing

    - Use sq in the test suite, remove apt-key

    - abicheck: Add symbol-merge.py helper

    - Symbols: Merge stable, noble, testing, unstable

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Dec 2024 12:16:19 +0100

 

 Eles trocaram o GnuPG pelo Sequoia, que é uma implementação alterantiva para o PGP. Só que essa implementação tem umas configurações que, por padrão, bloqueiam o hash inseguro sha-1 para verificar as assinaturas de critografia. 

 Os desenvolvedores até colocaram uma alteração na politica do Sequoia que permite o uso do sha-1 até 2026, para dar tempo dos repositórios se adequarem. 

 Mas sabem como é o Debian Sid.

 

Tem coisas que o Sid quebra

 

 E quebrou com alguns repositórios. Alguns desses erros foram: 

 Err:39 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease

  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound:            primary key   because: No binding signature at time 2024-12-17T17:27:20Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance   because: SHA1 is not considered secure since 2013-02-01T00:00:00Z  

  W: Falhou ao buscar https://pkgs.k8s.io/core:/stable:/v1.31/deb/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z

    

  Até tentei verificar algo relacionado na explicação abaixo:

  

  apt (2.9.19) unstable; urgency=medium

  This release switches to OpenSSL for hashing and TLS, replacing the

  GnuTLS and gcrypt libraries.

  This release switches to Sequoia for OpenPGP verification on supported

  Debian platforms. A Sequoia policy override enabling SHA1 self-signatures

  until 2026 is included. To override the policy, the following environment

  variables and files are considered:

  * The APT_SEQUOIA_CRYPTO_POLICY environment variable, and failing that:

    - /etc/crypto-policies/back-ends/apt-sequoia.config,

    - /var/lib/crypto-config/profiles/current/apt-sequoia.config

  * The SEQUOIA_CRYPTO_POLICY environment variable, and failing that:

    - /etc/crypto-policies/back-ends/sequoia.config

    - /var/lib/crypto-config/profiles/current/sequoia.config

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Dec 2024 12:16:22 +0100

 Só que as configurações não deram certo. A documentação do Sequoia https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/index.html não indicava um local correto para configuração e nem mesmo o ChatGPT conseguia uma configuração correta.

  Se nem a IA sabia como configurar corretamente:

 

 

 

 imagina um humano que só esbarrou no erro. 

 

 Depois de pesquisar muito. Descobri onde foi configurado as politicas do Sequoia no apt:

 

/usr/share/apt/default-sequoia.config

Como não explicam direito outros lugares alternativos 😵‍💫, vai neste mesmo:

Atualização: 9 de janeiro 2025: Um leitor anonimo comentou sobre /etc/crypto-policies/back-ends/apt-sequoia.config. Esta pasta não existe no meu sistema. Então tive que fazer um

mkdir -p /etc/crypto-policies/back-ends/ 

e criar o arquivo apt-sequoia.config para adicionar a configuração abaixo:

Dentro encontra a seguinte configuração:

[hash_algorithms]

sha1.second_preimage_resistance = 2026-01-01

Tenta alterar para 

[hash_algorithms]

#sha1.second_preimage_resistance = 2026-01-01

sha1= 2030-01-01

[packets]

signature.v3 = 2030-01-01

Comentei a primeira linha e adicionei o sha1 com a data para 01/01/2030.

Daí adicionei o campo packets com configuração de signature.v3, que também foi afetada, para 01/01/2030.

Após salvar o arquivo o erro desapareceu.

Esta é apenas uma solução temporária enquanto os desenvolvedores façam as correções no apt ou, quem mantem os repositórios, façam as atualizações nas assinaturas para padrões mais recentes que o Sequoia suporta sem problemas.

Tem que estar em mente que o SHA-1 já não é mais seguro e uma atualização do apt pode sobrescrever o /usr/share/apt/default-sequoia.config. Se o erro voltar, terá que aplicar as alterações novamente no arquivo.

Caso encontrem uma alternativa melhor, me informe nos comentários que será testado.

Agora você pode tentar a solução acima:

Um Feliz Ano Novo para todos.

Sequoia breaks apt repos. How to fix it.

Para versão em português vai em: https://www.adilson.net.br/2024/12/sequoia-quebra-os-repositorios-apt-como.html

After a long time without updating this blog, I will write about a issue that happened with some systems here.

If you have not noticed. I use Debian Sid in my desktops and notebooks with lots of customizations and third party repositories.

And, on this Christimas week, some devs give a present for the apt, as shown in this last changelog:

apt (2.9.19) unstable; urgency=medium

  * Replace GnuTLS and gcrypt with OpenSSL

  * Replace GnuPG with Sequoia on supported Debian platforms

    - methods: Add new sqv method

    - debian: Add default policy to allow SHA-1 self-signatures until 2026

    - debian: Plug sqv into the package build

  * Smaller bits:

    - apt-helper: Add a hash-file helper to debug file hashing

    - Use sq in the test suite, remove apt-key

    - abicheck: Add symbol-merge.py helper

    - Symbols: Merge stable, noble, testing, unstable

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Dec 2024 12:16:19 +0100

They switched from GnuPG to Sequoia, that is an alternative PGP implementation. But this implementations has some configurations that default blocks the insecure sha-1 hash for checking crypto signiatures.

The devs also put a change on the Sequoia policy that allows sha-1 until 2026.

But you know how Debian sid is like:

There are some things that Sid breaks.

And it breaks some repos. Some errors were:

Err:39 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease

  Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound:            primary key   because: No binding signature at time 2024-12-17T17:27:20Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance   because: SHA1 is not considered secure since 2013-02-01T00:00:00Z  

  W: Falhou ao buscar https://pkgs.k8s.io/core:/stable:/v1.31/deb/InRelease  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type  Caused by:     Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z

Even I tried to check something related below:

  apt (2.9.19) unstable; urgency=medium

  This release switches to OpenSSL for hashing and TLS, replacing the

  GnuTLS and gcrypt libraries.

  This release switches to Sequoia for OpenPGP verification on supported

  Debian platforms. A Sequoia policy override enabling SHA1 self-signatures

  until 2026 is included. To override the policy, the following environment

  variables and files are considered:

  * The APT_SEQUOIA_CRYPTO_POLICY environment variable, and failing that:

    - /etc/crypto-policies/back-ends/apt-sequoia.config,

    - /var/lib/crypto-config/profiles/current/apt-sequoia.config

  * The SEQUOIA_CRYPTO_POLICY environment variable, and failing that:

    - /etc/crypto-policies/back-ends/sequoia.config

    - /var/lib/crypto-config/profiles/current/sequoia.config

 -- Julian Andres Klode <jak@debian.org>  Mon, 23 Dec 2024 12:16:22 +0100

But these configurations didn't worked. The Sequoia documentation https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/index.html does't show a right place for this configuation and, even, ChatGPT hasn't got a right answer for this issue.

If, even, an IA knows how to configure it correctly:

Imagine a human that saw this error for the first time:

After a lot of research. I discovered where they configure apt Sequoia policies:

/usr/share/apt/default-sequoia.config

Since they didn't explain any alternative locations 😵‍💫, I will edit this file.

Update Jan 9th 2025: An anonymous reader commented about  /etc/crypto-policies/back-ends/apt-sequoia.config . This folder does not exists on my system so I have to do a

mkdir -p /etc/crypto-policies/back-ends/ 

and create apt-sequoia.config for adding the configuration below.

Inside you will find this configuration:

[hash_algorithms]

sha1.second_preimage_resistance = 2026-01-01

Try to change them to:

[hash_algorithms]

#sha1.second_preimage_resistance = 2026-01-01

sha1= 2030-01-01

[packets]

signature.v3 = 2030-01-01

I commented the first line and add sha1 with a date to 01/01/2030.

Then I put a [packet] section with signature.v3, that is also affected, with a date to 01/01/2030.

After saving this file the error vanished.

This is a temporary solution until the devs make some fixes to apt or the repositories signatures are updated to the most recent standards that are supported by Sequoia.

And, keep in mind, that SHA-1 is not safe anymore and any apt update will overwrite /usr/share/apt/default-sequoia.config. If theses errors  return, you have to repeat all changes again.

So you can use the new solution above.

If you find a better alternative, show me in the comments below that they will be tested.

Happy New Year for all.