sq is rejecting my SHA1-protected file
When verifying signatures, sq might reject a signature and return an error, even if the correct certificate is available. One reason for this behavior concerns how the validity of a certificate is determined.
A certificate is considered invalid, if its internal binding signatures are only made with deprecated hash algorithms (like SHA1). This can be fixed with sq cert lint, but only for certificates where the secret key material is available, as new signatures have to be made. sq cert lint therefore cannot fix other people's certificates.
The best way to deal with a situation like this is to get the keyholder to update their certificate.
If it's not feasible to get the keyholder of the certificate in question to update their certificate, there is one way to persuade sq to perform the verification anyway.
Which algorithms are considered deprecated is configured in the cryptographic policy. You can display the configuration with:
$ sq config get policy.hash_algorithms.sha1
policy.hash_algorithms.sha1.collision_resistance = 2013-02-01
policy.hash_algorithms.sha1.second_preimage_resistance = 2023-02-01
In the case of SHA1, there are different cut-off dates depending on how the algorithm is being used. These dates define when the use of said algorithm switches from valid to deprecated for each of these applications.
You can edit the dates in the configuration file to get sq to accept SHA1 based signatures. The easier (and less intrusive) way is to use the --policy-as-of switch:
$ sq verify --policy-as-of 20130131 --message msg.pgp
This temporarily modifies the reference time of the policy compliance check; choose a date which predates the cut-off date to work around the restriction.
Using
--policy-as-ofalso affects other signature checks, like certifications. This has implications on the authenticitysqassigns to a certificate.
This also applies to encryption, for example, if you need to encrypt a message for someone only holding an invalid certificate. In the same way as for verification, you can work around the restriction on SHA1 by using the --policy-as-of option in combination with sq encrypt:
$ sq --policy-as-of 20130201 encrypt --for=$FINGERPRINT_BOB --signer-email=alice@example.org msg.txt