The policy should be applied to the backsig

Consider the following minimized key:

$ sq packet dump 8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E-minimized.pgp 
Public-Key Packet, new CTB, 269 bytes
    Version: 4
    Creation time: 2009-11-12 12:33:04 UTC
    Pk algo: RSA (Encrypt or Sign)
    Pk size: 2048 bits
    Fingerprint: 8FA9 4E79 AD6A B56E E38C  E5CB AC46 EFE6 DE50 0B3E
    KeyID: AC46 EFE6 DE50 0B3E
  
User ID Packet, new CTB, 39 bytes
    Value: Peter Lebbing <peter@digitalbrains.com>
  
Signature Packet, new CTB, 339 bytes
    Version: 4
    Type: PositiveCertification
    Pk algo: RSA (Encrypt or Sign)
    Hash algo: SHA512
    Hashed area:
      Key flags: C
      Features: MDC
      Keyserver preferences: no modify
      Symmetric algo preferences: AES128, AES256, AES192, CAST5, TripleDES
      Hash preferences: SHA256, RipeMD, SHA1
      Compression preferences: Zlib, BZip2, Zip
      Issuer Fingerprint: 8FA9 4E79 AD6A B56E E38C  E5CB AC46 EFE6 DE50 0B3E
      Signature creation time: 2019-10-14 09:11:06 UTC
      Key expiration time: P4352DT74282S
    Unhashed area:
      Issuer: AC46 EFE6 DE50 0B3E
    Digest prefix: 4CBA
    Level: 0 (signature over data)
  
Public-Subkey Packet, new CTB, 269 bytes
    Version: 4
    Creation time: 2009-11-12 13:15:07 UTC
    Pk algo: RSA (Encrypt or Sign)
    Pk size: 2048 bits
    Fingerprint: 6500 8DC2 20AA E2A2 574D  6CD5 969E 018F DE6C DCA1
    KeyID: 969E 018F DE6C DCA1
  
Signature Packet, new CTB, 603 bytes
    Version: 4
    Type: SubkeyBinding
    Pk algo: RSA (Encrypt or Sign)
    Hash algo: SHA512
    Hashed area:
      Key flags: S
      Issuer Fingerprint: 8FA9 4E79 AD6A B56E E38C  E5CB AC46 EFE6 DE50 0B3E
      Signature creation time: 2019-10-14 09:24:17 UTC
      Key expiration time: P4352DT72550S
    Unhashed area:
      Embedded signature: 
        Signature Packet
          Version: 4
          Type: PrimaryKeyBinding
          Pk algo: RSA (Encrypt or Sign)
          Hash algo: SHA1
          Hashed area:
            Signature creation time: 2009-11-12 13:15:07 UTC
          Unhashed area:
            Issuer: 969E 018F DE6C DCA1
          Digest prefix: F915
          Level: 0 (signature over data)
        
      Issuer: AC46 EFE6 DE50 0B3E
    Digest prefix: 8163
    Level: 0 (signature over data)

The subkey's binding signature uses SHA512, but the backsig uses SHA-1 (this appears to be because GnuPG just reuses the existing backsig when extending the key's expiration). We should reject this key, because SHA-1 should be rejected.

Note: given GnuPG's behavior, this is probably going to make a lot of existing keys unusable.

8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E-minimized.pgp msg.eml msg.eml.asc