I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.
InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.
My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.
UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.
UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.