W: https://packages.cisofy.com/community/lynis/deb/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details #1658
Description
Describe the bug
LANG=C sudo apt-get update
[...]
Reading package lists... Done
W: https://packages.cisofy.com/community/lynis/deb/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
and (Debian 13 with Sequoia-PGP)
sq inspect /usr/share/keyrings/cisofy-software-public.gpg
/usr/share/keyrings/cisofy-software-public.gpg: OpenPGP Certificate.
Fingerprint: 84FAA9983B24AEF24D6C87F1FEBB7D1812576482
Invalid: No binding signature at time 2025-08-17T12:11:59Z: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure since 2023-02-01T00:00:00Z
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2021-06-22 05:36:13 UTC
Subkey: 013BAA07180C50A7101097EF9DE922F1C2FDE6C4
Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
Invalid: primary key: No binding signature at time 2025-08-17T12:11:59Z, because Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure since 2023-02-01T00:00:00Z
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2021-06-22 05:37:49 UTC
Subkey: 5B9AFED133C48A9880462C2336D5B047478863C2
Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
Invalid: primary key: No binding signature at time 2025-08-17T12:11:59Z, because Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance, because SHA1 is not considered secure since 2023-02-01T00:00:00Z
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2021-06-22 05:36:13 UTC
UserID: CISOfy software signing <[email protected]>
Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
and
LANG=C sudo apt update --audit
[...]
Warning: https://packages.cisofy.com/community/lynis/deb/dists/stable/InRelease: Policy will reject signature within a year, see --audit for details
Audit: https://packages.cisofy.com/community/lynis/deb/dists/stable/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 84FAA9983B24AEF24D6C87F1FEBB7D1812576482 is not bound:
primary key
because: No binding signature at time 2025-07-29T07:30:25Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Version
- Distribution
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 13 (trixie)
Release: 13
Codename: trixie
- Lynis version
sudo lynis show version
3.1.5
Expected behavior
I try „gpg dearmor”, and „sq packet dearmor” and try .list or sources format, the warning does not disappear
*.list
deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
*.sources
URIs: https://packages.cisofy.com/community/lynis/deb/
Suites: stable
Architectures: amd64 arm64
Components: main
Types: deb
Suites: stable
Signed-By: /usr/share/keyrings/cisofy-software-public.gpg
Output
The log is not relevant to this problem.
Additional context
That's all, I've said everything.
