31 Jan 2026
Planet Debian
Michael Prokop: apt, SHA-1 keys + 2026-02-01
You might have seen Policy will reject signature within a year warnings in apt(-get) update runs like this:
root@424812bd4556:/# apt update
Get:1 http://foo.example.org/debian demo InRelease [4229 B]
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
Get:5 http://foo.example.org/debian demo/main amd64 Packages [1097 B]
Fetched 5326 B in 0s (43.2 kB/s)
All packages are up to date.
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
root@424812bd4556:/# apt --audit update
Hit:1 http://foo.example.org/debian demo InRelease
Hit:2 http://deb.debian.org/debian trixie InRelease
Hit:3 http://deb.debian.org/debian trixie-updates InRelease
Hit:4 http://deb.debian.org/debian-security trixie-security InRelease
All packages are up to date.
Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://foo.example.org/debian/dists/demo/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound:
No binding signature at time 2024-06-19T10:33:47Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: The sources.list(5) entry for 'http://foo.example.org/debian' should be upgraded to deb822 .sources
Audit: Missing Signed-By in the sources.list(5) entry for 'http://foo.example.org/debian'
Audit: Consider migrating all sources.list(5) entries to the deb822 .sources format
Audit: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Audit: See apt-secure(8) for best practices in configuring repository signing.
Audit: Some sources can be modernized. Run 'apt modernize-sources' to do so.
If you ignored this for the last year, I would like to tell you that 2026-02-01 is not that far away (hello from the past if you're reading this because you're already affected).
Let's simulate the future:
root@424812bd4556:/# apt --update -y install faketime [...] root@424812bd4556:/# export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 FAKETIME="2026-08-29 23:42:11" root@424812bd4556:/# date Sat Aug 29 23:42:11 UTC 2026 root@424812bd4556:/# apt update Get:1 http://foo.example.org/debian demo InRelease [4229 B] Hit:2 http://deb.debian.org/debian trixie InRelease Err:1 http://foo.example.org/debian demo InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound: No binding signature at time 2024-06-19T10:33:47Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z [...] Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. OpenPGP signature verification failed: http://foo.example.org/debian demo InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 54321ABCD6789ABCD0123ABCD124567ABCD89123 is not bound: No binding signature at time 2024-06-19T10:33:47Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z [...] root@424812bd4556:/# echo $? 100
Now, the proper solution would have been to fix the signing key underneath (via e.g. sq cert lint &dash&dashfix &dash&dashcert-file $PRIVAT_KEY_FILE > $PRIVAT_KEY_FILE-fixed).
If you don't have access to the according private key (e.g. when using an upstream repository that has been ignoring this issue), you're out of luck for a proper fix.
But there's a workaround for the apt situation (related see apt commit 0989275c2f7afb7a5f7698a096664a1035118ebf):
root@424812bd4556:/# cat /usr/share/apt/default-sequoia.config # Default APT Sequoia configuration. To overwrite, consider copying this # to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the # desired values. [asymmetric_algorithms] dsa2048 = 2024-02-01 dsa3072 = 2024-02-01 dsa4096 = 2024-02-01 brainpoolp256 = 2028-02-01 brainpoolp384 = 2028-02-01 brainpoolp512 = 2028-02-01 rsa2048 = 2030-02-01 [hash_algorithms] sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories sha224 = 2026-02-01 [packets] signature.v3 = 2026-02-01 # Extend the expiry
Adjust this according to your needs:
root@424812bd4556:/# mkdir -p /etc/crypto-policies/back-ends/ root@424812bd4556:/# cp /usr/share/apt/default-sequoia.config /etc/crypto-policies/back-ends/apt-sequoia.config root@424812bd4556:/# $EDITOR /etc/crypto-policies/back-ends/apt-sequoia.config root@424812bd4556:/# cat /etc/crypto-policies/back-ends/apt-sequoia.config # APT Sequoia override configuration [asymmetric_algorithms] dsa2048 = 2024-02-01 dsa3072 = 2024-02-01 dsa4096 = 2024-02-01 brainpoolp256 = 2028-02-01 brainpoolp384 = 2028-02-01 brainpoolp512 = 2028-02-01 rsa2048 = 2030-02-01 [hash_algorithms] sha1.second_preimage_resistance = 2026-09-01 # Extend the expiry for legacy repositories sha224 = 2026-09-01 [packets] signature.v3 = 2026-02-01 # Extend the expiry
Then we're back into the original situation, being a warning instead of an error:
root@424812bd4556:/# apt update Hit:1 http://deb.debian.org/debian trixie InRelease Get:2 http://foo.example.org/debian demo InRelease [4229 B] Hit:3 http://deb.debian.org/debian trixie-updates InRelease Hit:4 http://deb.debian.org/debian-security trixie-security InRelease Warning: http://foo.example.org/debian/dists/demo/InRelease: Policy will reject signature within a year, see --audit for details [..]
Please note that this is a workaround, and not a proper solution.
31 Jan 2026 1:57pm GMT
Benjamin Mako Hill: Dialogue
Me: Do you want your coffee in a Japanese or Western style tea cup?
M: Yunomi.
Me: Apparently not as well as you think I do!
31 Jan 2026 10:59am GMT
Russ Allbery: Review: Dragon Pearl
Review: Dragon Pearl, by Yoon Ha Lee
| Series: | Thousand Worlds #1 |
| Publisher: | Rick Riordan Presents |
| Copyright: | 2019 |
| ISBN: | 1-368-01519-0 |
| Format: | Kindle |
| Pages: | 315 |
Dragon Pearl is a middle-grade space fantasy based on Korean mythology and the first book of a series.
Min is a fourteen-year-old girl living on the barely-terraformed world of Jinju with her extended family. Her older brother Jun passed the entrance exams for the Academy and left to join the Thousand Worlds Space Forces, and Min is counting the years until she can do the same. Those plans are thrown into turmoil when an official investigator appears at their door claiming that Jun deserted to search for the Dragon Pearl. A series of impulsive fourteen-year-old decisions lead to Min heading for a spaceport alone, determined to find her brother and prove his innocence.
This would be a rather improbable quest for a young girl, but Min is a gumiho, one of the supernaturals who live in the Thousand Worlds alongside non-magical humans. Unlike the more respectable dragons, tigers, goblins, and shamans, gumiho are viewed with suspicion and distrust because their powers are useful for deception. They are natural shapeshifters who can copy the shapes of others, and their Charm ability lets them influence people's thoughts and create temporary illusions of objects such as ID cards. It will take all of Min's powers, and some rather lucky coincidences, to infiltrate the Space Forces and determine what happened to her brother.
It's common for reviews of this book to open with a caution that this is a middle-grade adventure novel and you should not expect a story like Ninefox Gambit. I will be boring and repeat that caution. Dragon Pearl has a single first-person viewpoint and a very linear and straightforward plot. Adult readers are unlikely to be surprised by plot twists; the fun is the world-building and seeing how Min manages to work around plot obstacles.
The world-building is enjoyable but not very rigorous. Min uses and abuses Charm with the creative intensity of a Dungeons & Dragons min-maxer. Each individual event makes sense given the implication that Min is unusually powerful, but I'm dubious about the surrounding society and lack of protections against Charm given what Min is able to do. Min does say that gumiho are rare and many people think they're extinct, which is a bit of a fig leaf, but you'll need to bring your urban fantasy suspension of disbelief skills to this one.
I did like that the world-building conceit went more than skin deep and influenced every part of the world. There are ghosts who are critical to the plot. Terraforming is done through magic, hence the quest for the Dragon Pearl and the miserable state of Min's home planet due to its loss. Medical treatment involves the body's meridians, as does engineering: The starships have meridians similar to those of humans, and engineers partly merge with those meridians to adjust them. This is not the sort of book that tries to build rigorous scientific theories or explain them to the reader, and I'm not sure everything would hang together if you poked at it too hard, but Min isn't interested in doing that poking and the story doesn't try to justify itself. It's mostly a vibe, but it's a vibe that I enjoyed and that is rather different than other space fantasy I've read.
The characters were okay but never quite clicked for me, in part because proper character exploration would have required Min take a detour from her quest to find her brother and that was not going to happen. The reader gets occasional glimpses of a military SF cadet story and a friendship on false premises story, but neither have time to breathe because Min drops any entanglement that gets in the way of her quest. She's almost amoral in a way that I found believable but not quite aligned with my reading mood. I also felt a bit wrong-footed by how her friendships developed; saying too much more would be a spoiler, but I was expecting more human connection than I got.
I think my primary disappointment with this book was something I knew going in, not in any way its fault, and part of the reason why I'd put off reading it: This is pitched at young teenagers and didn't have quite enough plot and characterization complexity to satisfy me. It's a linear, somewhat episodic adventure story with some neat world-building, and it therefore glides over the spots where an adult novel would have added political and factional complexity. That is exactly as advertised, so it's up to you whether that's the book you're in the mood for.
One warning: The text of this book opens with an introduction by Rick Riordan that is just fluff marketing and that spoils the first few chapters of the book. It is unmarked as such at the beginning and tricked me into thinking it was the start of the book proper, and then deeply annoyed me. If you do read this book, I recommend skipping the utterly pointless introduction and going straight to chapter one.
Followed by Tiger Honor.
Rating: 6 out of 10
31 Jan 2026 5:26am GMT