From 0989275c2f7afb7a5f7698a096664a1035118ebf Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 25 Apr 2025 20:03:52 +0200 Subject: Update Sequoia crypto policy Move our cut-offs to February to align with Sequoia, and cut-off more: - 2024-02: DSA keys retroactively (align with GnuPG config) - 2026-02: SHA224 hashes - 2028-02: Brainpool keys (align closer with GnuPG backend) - 2030-02: RSA2048 keys These algorithms will not be valid starting on those cut-off dates. Gbp-Dch: full --- debian/default-sequoia.config | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/debian/default-sequoia.config b/debian/default-sequoia.config index b0abc90ee..0bb0b9c41 100644 --- a/debian/default-sequoia.config +++ b/debian/default-sequoia.config @@ -1,4 +1,18 @@ +# Default APT Sequoia configuration. To overwrite, consider copying this +# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the +# desired values. +[asymmetric_algorithms] +dsa2048 = 2024-02-01 +dsa3072 = 2024-02-01 +dsa4096 = 2024-02-01 +brainpoolp256 = 2028-02-01 +brainpoolp384 = 2028-02-01 +brainpoolp512 = 2028-02-01 +rsa2048 = 2030-02-01 + [hash_algorithms] -sha1.second_preimage_resistance = 2026-01-01 +sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories +sha224 = 2026-02-01 + [packets] -signature.v3 = 2026-01-01 +signature.v3 = 2026-02-01 # Extend the expiry -- cgit v1.2.3-70-g09d2