debsig package signing issue for 1password & 1password-cli

Problem:

I have already raised this issue by email (no response from 1password yet), and BitBot has given this matter reference CKQ-37366-878.

1Password uses the weak, deprecated algorithm SHA1, with debsig, to sign its Debian packages (this affects both 1password [gui app package], and 1password-cli, each in their deb package form).

Way back in Nov-2021, debsig v0.24 deprecated SHA1 as an acceptable way to sign packages.  This is because a practical collision attack for SHA1 was first demonstrated in 2017.

debsig release announcement: https://lists.debian.org/debian-dpkg/2021/11/msg00006.html#:~:text=*%20reject%20weak%20ripemd160%20and%20sha1%20algorithms

Any Ubuntu or Debian distro using debsig >= v0.24 will by default not verify 1password or 1password-cli packages, due to the use of weak SHA1 packages.

To further prove it is use of weak SHA1 algo for signing that is root cause of debsig-verify failing, and nothing else, you can put "allow-weak-digest-algos" (without quotes) into /etc/gnupg/gpg.conf and then debsig-verify command will confirm that latest 1password or 1password-gui deb package was signed appropriately in "_gpgorigin" file.

Yes, an SHA1 collision is still hard, and so SHA1 signing is still better than nothing, and Debian packages is a smaller subset of an already small linux user base for 1password, but it still disappoints me that 1password appears not on top of ensuring all of it crypto algorithm use, are strong, secure, not depricated ones!  It makes me wonder and worry where else depricated crypto cyphers are in use, and should I switch to something with more open source code that I can check for myself, like Proton or Bitwarden.

Fix required:

Please restore my faith in 1password by switching your signing algorithm for all Debian packages, from using SHA 1 (digest algo 2) to SHA 256 (digest algo 8), or even better, SHA 512 (digest algo 10), for debsig.

This does not need to change the keys you use, and changes nothing about the underlying packages for 1password or 1password-cli.  It is just a change to the deb packages.

Steps to reproduce and analyse the issue:

(1) Fire up an Ubuntu or Debian instance with debsig >= v0.24 (I used Debian 13 Trixie)

(2) wget -O "1password-latest.deb" https://downloads.1password.com/linux/debian/amd64/stable/1password-latest.deb

This gets you a suitable package to test the problem on.

(3) debsig-verify -d 1password-latest.deb

This runs debsig-verify, with debug output visible, on the just downloaded deb package.  You can see the signature failure message on the final output line.  Higher you can see complaints about an invalid digest algorithm as the root cause

(4) Add "allow-weak-digest-algos" (without quotes) into /etc/gnupg/gpg.conf and then re-run the debsig-verify command from step 3 above.

Now that we move away from default secure config to reject old, weak depriecated algorithms, such as SHA1, the 1password deb package successfully shows as signed.

You could keep all the same keys, and just switch the signing algorithm used by debsig, to SHA256 or even better SHA512 (SHA512 is 64-bit words, so no slower on 64-bit architectures than SHA256, but larger and more secure), and you would fix this problem.

If you are still using SHA1 here, and had not noticed until user pointed it out, you should probably (re-)audit where else you are using weak, old, deprecated cyphers in your codebase too, as a good step to continuously improve 1password security!