Package: sopv-gpgv Version: 0.1.2-1 Severity: serious Hi!
On a minimal chroot, after installing gpgv, sopv-gpgv and debian-keyring, when downloading a source package currently affected by the SHA-1 keys in the Debian keyring, sopv-gpgv does not fail to verify the signatures as would be expected (made this severity serious due to this, but if you disagree, feel free to downgrade!). So, then doing something like: ,--- $ sudo apt install debian-keyring gpgv sopv-gpgv $ apt source --download-only file $ k=/usr/share/keyrings/debian-keyring.gpg $ sopv inline-verify $k <file_*.dsc >/dev/null $ echo $? 0 $ gpgv --keyring $k --weak-digest SHA1 file_*.dsc gpgv: Signature made Thu Mar 13 20:46:00 2025 CET gpgv: using RSA key 597308FBBDBA035D8C7C95DDC42C58EB591492FD gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: No public key $ echo $? 2 `--- I guess sopv-gpgv, is missing passing «--weak-digest SHA1 --weak-digest RIPEMD160» to gpgv. This works fine when using gpgv-sq, because of its own defaults. :) Thanks, Guillem
