opensearch.pgp signature no longer valid, installation of OpenSearch fails

I upgraded my MediaWiki software from 1.43.1 to 1.45.1. This is the first major MediaWiki version that supports OpenSearch and the last version that supports Elasticsearch. I use MediaWiki extension CirrusSearch. After MW upgrade CirrusSearch is not working out of the box with Elasticsearch so I decided to switch to OpenSearch. According to Extension:CirrusSearch - MediaWiki MW 1.45.1 is compatible (only) with OpenSearch 1.3. So I tried installation of OpenSearch 1.3 on Debian 13 (trixie) following Debian - OpenSearch Documentation . Looks like installation is no longer possible. After adding https://artifacts.opensearch.org/publickeys/opensearch.pgp to a keyring file and adding OpenSearch 1.x repository “apt-get update” fails with

W: OpenPGP signature verification failed: https://artifacts.opensearch.org/releases/bundle/opensearch/1.x/apt stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C5B7498965EFD1C2924BA9D539D319879310D3FC is not bound: No binding signature at time 2024-12-11T21:50:47Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

Thanks for your support

InkluPedia

@OS-InkluPedia Could you share the exact command for adding a PGP key in Debian?

@OS-InkluPedia I’ve just tested installing OpenSearch 1.3.20 on Debian 12 using apt.

I followed OpenSearch documentation and had no issues.

root@debian:~# curl --insecure -u admin:admin https://localhost:9200
{
  "name" : "debian",
  "cluster_name" : "opensearch",
  "cluster_uuid" : "QJZVyNPUROqZJ6reEiyGbA",
  "version" : {
    "distribution" : "opensearch",
    "number" : "1.3.20",
    "build_type" : "deb",
    "build_hash" : "31afd17a1b5a22338307e1f4a78092887c1490e3",
    "build_date" : "2024-12-11T19:27:27.239674Z",
    "build_snapshot" : false,
    "lucene_version" : "8.10.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
root@debian:~# cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@debian:~# 

@OS-InkluPedia I’ve got the same error as you did in Debian 13. Is there any reason why you couldn’t use Debian 12?

@pablo Thanks for testing. The exact commands following your 1.3 documentation were:

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

echo “deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/1.x/apt stable main” | tee /etc/apt/sources.list.d/opensearch-1.x.list

I do not think that downgrading of a distribution is a good idea. Why not just signing your pgp key(s) with a more recent signature that allows installing on latest stable Debian distribution?

InkluPedia

@OS-InkluPedia Based on your initial issue description, I assumed that you have flexibility in the OS version. Did you upgrade OpenSearch or build a Debian OS and install an OS cluster on top of that?

I used the same commands, and they align with the documentation.
I suggest reporting this in the OpenSearch GitHub. If you do so, please share the link here.

@pablo. I decided to use a workaround. The expiration date for SHA1 is set in /usr/share/apt/default-sequoia.config. I raised the expiration date to allow installation of OpenSearch 1.3.20. Thank you for your time.

@OS-InkluPedia Thank you for sharing your workaround.