Package: ftp.debian.org
Severity: serious

Hi!

While going over the SHA-1 issues in the keyrings [K], I then realized
that for some of those cases that will not validate signatures with
dupload, dpkg-source, or dscverify for example (and checking some
specific cases from keyring.debian.org, in case there was a newer fixed certificate in there), that dak does not seem to be rejecting signatures
from those certificates. Even though SHA-1 was intended to be disallowed
for uploads since this was announced some time ago [A].

[K] https://lists.debian.org/debian-devel/2025/03/msg00477.html
[A] https://lists.debian.org/debian-devel-announce/2017/02/msg00007.html

I think the main reason is that the gpg verification invocations are not
done with something like «--weak-digest SHA1 --weak-digest RIPEMD160».

I have set the severity to serious as this seems like a security issue,
but of course feel free to lower it if you disagree.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)