APT repository signing key uses SHA1, rejected by Debian Trixie/13 #183
Description
The GPG key used to sign pagerduty packages is now rejected by Debian Trixie/13 because it uses an insecure hash algorithm. Can you please consider migrating to a new key using SHA-256
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F233B692E4A461563611446389108A4BF5778EE0 is not bound: No binding signature at time 2024-03-27T18:56:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: https://packages.pagerduty.com/pdagent deb/ Release: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on F233B692E4A461563611446389108A4BF5778EE0 is not bound: No binding signature at time 2024-03-27T18:56:14Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
This will affect all packages requiring this signing key.
There is a pretty coarse workaround detailed at nodesource/distributions#1920 (comment)