Add option to allow signing keys bound with SHA1
sqv refuses to use keys that have SHA1-based self signature:
sqv --keyring /tmp/tmp.UVojstQozS/keyring ...
Signing key on ... is not bound:
No binding signature at time ...
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00ZIn many cases, especially when using WoT or keyservers this may be desirable. But if the key is provided as a local file, verified to be authentic using any other means, refusing SHA1 here doesn't improve anything. On the other hand, many, many keys still have SHA1 self signature. The case I care specifically is various software tarballs - actual detached signature is not using SHA1 anymore, but the signing key self-signature is, which results in a verification failure. Overall forces using some workaround (going back to GnuPG, not using signature at all, etc) which reduce security :/
I tried override it with SEQUOIA_CRYPTO_POLICY, but:
- it seems to be ignored by
sqv(seems to work withsq) - it would accept also SHA1-based detached signature (not only key binding signature), which is undesirable