Para versão em português vai em: https://www.adilson.net.br/2024/12/sequoia-quebra-os-repositorios-apt-como.html
After a long time without updating this blog, I will write about a issue that happened with some systems here.
If you have not noticed. I use Debian Sid in my desktops and notebooks with lots of customizations and third party repositories.
And, on this Christimas week, some devs give a present for the apt, as shown in this last changelog:
apt (2.9.19) unstable; urgency=medium
* Replace GnuTLS and gcrypt with OpenSSL
* Replace GnuPG with Sequoia on supported Debian platforms
- methods: Add new sqv method
- debian: Add default policy to allow SHA-1 self-signatures until 2026
- debian: Plug sqv into the package build
* Smaller bits:
- apt-helper: Add a hash-file helper to debug file hashing
- Use sq in the test suite, remove apt-key
- abicheck: Add symbol-merge.py helper
- Symbols: Merge stable, noble, testing, unstable
-- Julian Andres Klode <jak@debian.org> Mon, 23 Dec 2024 12:16:19 +0100
They switched from GnuPG to Sequoia, that is an alternative PGP implementation. But this implementations has some configurations that default blocks the insecure sha-1 hash for checking crypto signiatures.
The devs also put a change on the Sequoia policy that allows sha-1 until 2026.
But you know how Debian sid is like:
There are some things that Sid breaks. |
And it breaks some repos. Some errors were:
Err:39 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on DB085A08CA13B8ACB917E0F6D938EC0D038651BD is not bound: primary key because: No binding signature at time 2024-12-17T17:27:20Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
W: Falhou ao buscar https://pkgs.k8s.io/core:/stable:/v1.31/deb/InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Policy rejected packet type Caused by: Signature Packet v3 is not considered secure since 2021-02-01T00:00:00Z
Even I tried to check something related below:
apt (2.9.19) unstable; urgency=medium
This release switches to OpenSSL for hashing and TLS, replacing the
GnuTLS and gcrypt libraries.
This release switches to Sequoia for OpenPGP verification on supported
Debian platforms. A Sequoia policy override enabling SHA1 self-signatures
until 2026 is included. To override the policy, the following environment
variables and files are considered:
* The APT_SEQUOIA_CRYPTO_POLICY environment variable, and failing that:
- /etc/crypto-policies/back-ends/apt-sequoia.config,
- /var/lib/crypto-config/profiles/current/apt-sequoia.config
* The SEQUOIA_CRYPTO_POLICY environment variable, and failing that:
- /etc/crypto-policies/back-ends/sequoia.config
- /var/lib/crypto-config/profiles/current/sequoia.config
-- Julian Andres Klode <jak@debian.org> Mon, 23 Dec 2024 12:16:22 +0100
But these configurations didn't worked. The Sequoia documentation https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/index.html does't show a right place for this configuation and, even, ChatGPT hasn't got a right answer for this issue.
If, even, an IA knows how to configure it correctly:
I commented the first line and add sha1 with a date to 01/01/2030.
Then I put a [packet] section with signature.v3, that is also affected, with a date to 01/01/2030.
After saving this file the error vanished.
This is a temporary solution until the devs make some fixes to apt or the repositories signatures are updated to the most recent standards that are supported by Sequoia.
And, keep in mind, that SHA-1 is not safe anymore and any apt update will overwrite /usr/share/apt/default-sequoia.config. If theses errors return, you have to repeat all changes again.
So you can use the new solution above.
If you find a better alternative, show me in the comments below that they will be tested.
Happy New Year for all.
If you want to avoid your changes being overwritten by new versions of apt, you can place the changes in /etc/crypto-policies/back-ends/apt-sequoia.config which I discovered by reviewing the apt source code (https://salsa.debian.org/apt-team/apt/-/blob/main/methods/sqv.cc#L36)
ResponderExcluirIt worked here. Thanks.
Excluir