RPM-GPG-KEY-CentOS-6 is detected as being okay, but isn't
The sole self signature relies on SHA-1, but sq-keyring-linter doesn't flag it as being invalid.
$ sq-keyring-linter /tmp/RPM-GPG-KEY-CentOS-6
Examined 1 certificate.
No issues found (see `sq-keyring-linter --help` for a list of issues that are checked for).
$ sq inspect /tmp/RPM-GPG-KEY-CentOS-6
/tmp/RPM-GPG-KEY-CentOS-6: OpenPGP Certificate.
Fingerprint: C1DAC52D1664E8A4386DBA430946FCA2C105B9DE
Invalid: No binding signature at time 2023-06-14T09:29:03Z
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2011-07-03 02:27:47 UTC
UserID: CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
$ sq packet dump /tmp/RPM-GPG-KEY-CentOS-6
Public-Key Packet, old CTB, 525 bytes
Version: 4
Creation time: 2011-07-03 02:27:47 UTC
Pk algo: RSA
Pk size: 4096 bits
Fingerprint: C1DAC52D1664E8A4386DBA430946FCA2C105B9DE
KeyID: 0946FCA2C105B9DE
User ID Packet, old CTB, 70 bytes
Value: CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
Signature Packet, old CTB, 572 bytes
Version: 4
Type: PositiveCertification
Pk algo: RSA
Hash algo: SHA1
Hashed area:
Signature creation time: 2011-07-03 02:27:47 UTC
Key flags: CS
Key expiration time: P3650D
Symmetric algo preferences: AES256, AES192, AES128, CAST5, TripleDES
Hash preferences: SHA1, SHA256, RipeMD
Compression preferences: Zlib, BZip2, Zip
Features: MDC
Keyserver preferences: no modify
Unhashed area:
Issuer: 0946FCA2C105B9DE
Digest prefix: 9A8D
Level: 0 (signature over data)