.deb package signed with a deprecated SHA1 algorithm

[junoslukan]

When following the guide to verify the signature for the .deb package, I got the following error:

$ debsig-verify --debug gcm.deb

debsig: Starting verification for: gcm.deb
debsig:         getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig: getDbPathname: using /etc/debsig/policies/3C853823978B07FA keyring
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig:   Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     parsePolicyFile: parsing '/etc/debsig/policies/3C853823978B07FA/generic.pol'
debsig:     parsePolicyFile: completed
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig:         getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig:         getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig:         getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig:         getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
gpg: Signature made Wed 30 Oct 2024 11:59:51 CET
gpg:                using RSA key 189ABF20BC4D22098078A6403C853823978B07FA
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
debsig: sigVerify: gpg exited abnormally or with non-zero exit status
debsig: verifyGroupRules: failed for origin
debsig:     Verification group failed checks.
debsig: Failed verification for gcm.deb.

I believe that the failure is due to "signatures using the SHA1 algorithm are rejected". Would it be possible to sign the package using a modern algorithm instead?

[pablobrownhs]

$ debsig-verify --debug gcm.deb

debsig: Starting verification for: gcm.deb
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig: getDbPathname: using /etc/debsig/policies/3C853823978B07FA keyring
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig: Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig: parsePolicyFile: parsing '/etc/debsig/policies/3C853823978B07FA/generic.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig: Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig: Checking Verification group(s).
debsig: Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
gpg: Signature made Wed 30 Oct 2024 11:59:51 CET
gpg: using RSA key 189ABF20BC4D22098078A6403C853823978B07FA
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
debsig: sigVerify: gpg exited abnormally or with non-zero exit status
debsig: verifyGroupRules: failed for origin
debsig: Verification group failed checks.
debsig: Failed verification for gcm.deb.

[dscho]

When I try this, I get:

$ debsig-verify gcm.deb
debsig: Verified package from 'Git Credential Manager public key' (Git Credential Manager)

I.e. I cannot reproduce.

Maybe it depends on the distro you're on? Here's where I'm at:

$ lsb_release -d
Description:    Ubuntu 22.04.5 LTS

[pablobrownhs]

• `` de llegar al intercambiador

[junoslukan]

You are correct, more specifically, it depends on the version of debsig-verify.

I assume you are still on version 0.23, which is published in Jammy, whereas this change came in v0.24. Quoting from their change log:

Reject weak RIPEMD160 and SHA1 algorithms.