sq is rejecting my SHA1-protected file
When verifying signatures, sq might reject a signature and returns an error, even if the correct certificate is available. One reason for this behavior is located in sqs evaluation of the validity of a certificate.
A certificate is considered invalid, if its internal binding signatures are only made with deprecated hash algorithms (like SHA1). This can be fixed with sq cert lint, but only for certificates where the secret key material is available, as new signatures have to be made. sq cert lint therefore cannot fix other peoples certificates.
If it's not feasible to get the keyholder of the certificate in question to update their certificate, there is one way to persuade sq to perform the verification nonetheless.
Which algorithms are considered deprecated is configure in the cryptographic policy. You can read out the configuration with:
$ sq config get policy.hash_algorithms.sha1
policy.hash_algorithms.sha1.collision_resistance = 2013-02-01
policy.hash_algorithms.sha1.second_preimage_resistance = 2023-02-01
In case of SHA1 there are different applications of the algorithm with different cut-off dates. This date defines when the usage of said algorithm switches from valid to deprecated.
You can edit the dates in the configuration file to get sq to accept SHA1 based signatures. The easier (and less intruding) way is to use the --policy-as-of switch:
$ sq verify --policy-as-of 20130131 --message msg.pgp
This temporarily modifies the reference time of the policy compliance check. Just choose a date which predates the cut-off date.
Please note that using
--policy-as-ofalso effects other signature checks, like certifications. This has implications on the authenticitysqassigns to a certificate.
The best way to deal with a situation like this is to get the keyholder to update their certificate.
If this however is not possible and you for example need to encrypt a message for someone only holding an invalid certificate, you could also use the --policy-as-of switch in combination with the command sq encrypt as follows:
$ sq --policy-as-of 20130201 encrypt --for=$FINGERPRINT_BOB --signer-email=alice@example.org msg.txt