verify-commits: temporarily allow sha1 signatures for merge commits #34245
pull darosior wants to merge 1 commits into bitcoin:master from darosior:2601_fix_ci_sha1 changing 1 files +1 −1-
darosior commented at 11:37 pm on January 9, 2026: memberThis is to unbreak CI after a merge commit (aeaa67a9eac0decb89c60a67f9755ca10cbcc1d9) with a signature indirectly involving SHA1 was pushed to master.
-
12ffca9ccd
verify-commits: temporarily allow sha1 signatures for merge commits
This is to unbreak CI after a merge commit with a signature indirectly involving SHA1 was pushed to master.
-
DrahtBot commented at 11:37 pm on January 9, 2026: contributor
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Code Coverage & Benchmarks
For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34245.
Reviews
See the guideline for information on the review process. A summary of reviews will appear here.
-
-
darosior commented at 0:39 am on January 10, 2026: member
Your solution also looks good to me. I don’t think it matters too much: we’ll revert either in a week from now anyways.
——– Original Message ——– On Friday, 01/09/26 at 19:31 Ava Chow @.***> wrote:
achow101 left a comment (bitcoin/bitcoin#34245)
I don’t think we should blanket allow sha1, even temporarily. Furthermore, this would still break anyone doing a full verify-commits to the trusted root.
I’ve opened #34246 as an alternative to give an exception to the problematic commit.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
-
maflcko commented at 11:49 am on January 10, 2026: member
Not sure about this. If this is only a temporary CI fix, to be reverted in a few days, then i’d say it isn’t needed and the CI can simply be ignored for those days (it only affects the main branch)
My recommendation for a temporary workaround would be to just have another maintainer create a “re-merge” commit manually. That is, treat aeaa67a9eac0decb89c60a67f9755ca10cbcc1d9 as if it was a pull request, then merge it again into 595504a43209bead162da54a204df7d140a25f0e and push the new “re-merge” commit. Instead of a hard force push to re-write history, this will softly treat the failing merge commit no different than any other commit in any pull request, which may be signed, but is not checked by the verify script.
-
fanquake commented at 3:33 pm on January 10, 2026: memberClosing for now, given there doesn’t seem to be agreement on this approach.
-
fanquake closed this on Jan 10, 2026
-
sedited commented at 10:54 am on January 16, 2026: contributorI updated the key with refreshed base signatures. Seems to work for me locally again, but would be good if others checked too. I pushed the key to some common key servers.
-
hebasto commented at 11:51 am on January 16, 2026: member
I updated the key with refreshed base signatures. Seems to work for me locally again, but would be good if others checked too. I pushed the key to some common key servers.
I can confirm that for the signing subkey with
keyid: 9B79B45691DB4173, the previous signature packet usingdigest algo 2(SHA-1) has been updated with the new signature packet usingdigest algo 10(SHA-512):0$ gpg --refresh-keys --keyserver hkps://keys.openpgp.org 1$ gpg --export A8FC55F3B04BA3146F3492E79303B33A305224CB | gpg --list-packets 2# off=0 ctb=99 tag=6 hlen=3 plen=525 3:public key packet: 4 version 4, algo 1, created 1507239087, expires 0 5 pkey[0]: [4096 bits] 6 pkey[1]: [17 bits] 7 keyid: 9303B33A305224CB 8# off=528 ctb=b4 tag=13 hlen=2 plen=50 9:user ID packet: "Sebastian Kung (TheCharlatan) <seb.kung@gmail.com>" 10# off=580 ctb=89 tag=2 hlen=3 plen=569 11:signature packet: algo 1, keyid 9303B33A305224CB 12 version 4, created 1507239087, md5len 0, sigclass 0x13 13 digest algo 2, begin of digest 75 22 14 hashed subpkt 2 len 4 (sig created 2017-10-05) 15 hashed subpkt 27 len 1 (key flags: 01) 16 hashed subpkt 11 len 6 (pref-sym-algos: 9 8 7 3 2 1) 17 hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11) 18 hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) 19 hashed subpkt 30 len 1 (features: 01) 20 hashed subpkt 23 len 1 (keyserver preferences: 80) 21 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 22 data: [4096 bits] 23# off=1152 ctb=89 tag=2 hlen=3 plen=574 24:signature packet: algo 1, keyid 9303B33A305224CB 25 version 4, created 1513874756, md5len 0, sigclass 0x13 26 digest algo 2, begin of digest 7a 44 27 hashed subpkt 27 len 1 (key flags: 01) 28 hashed subpkt 30 len 1 (features: 01) 29 hashed subpkt 23 len 1 (keyserver preferences: 80) 30 hashed subpkt 2 len 4 (sig created 2017-12-21) 31 hashed subpkt 11 len 9 (pref-sym-algos: 9 13 8 12 7 11 10 3 2) 32 hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 2 3) 33 hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0) 34 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 35 data: [4093 bits] 36# off=1729 ctb=b4 tag=13 hlen=2 plen=28 37:user ID packet: "sedited <seb.kung@gmail.com>" 38# off=1759 ctb=89 tag=2 hlen=3 plen=596 39:signature packet: algo 1, keyid 9303B33A305224CB 40 version 4, created 1768501423, md5len 0, sigclass 0x13 41 digest algo 10, begin of digest 4b 18 42 hashed subpkt 27 len 1 (key flags: 01) 43 hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2) 44 hashed subpkt 34 len 1 (pref-aead-algos: 2) 45 hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2) 46 hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) 47 hashed subpkt 30 len 1 (features: 07) 48 hashed subpkt 23 len 1 (keyserver preferences: 80) 49 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 50 hashed subpkt 2 len 4 (sig created 2026-01-15) 51 hashed subpkt 25 len 1 (primary user ID) 52 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 53 data: [4092 bits] 54# off=2358 ctb=b9 tag=14 hlen=3 plen=525 55:public sub key packet: 56 version 4, algo 1, created 1507239607, expires 0 57 pkey[0]: [4096 bits] 58 pkey[1]: [17 bits] 59 keyid: 9B79B45691DB4173 60# off=2886 ctb=89 tag=2 hlen=3 plen=1115 61:signature packet: algo 1, keyid 9303B33A305224CB 62 version 4, created 1631953913, md5len 0, sigclass 0x18 63 digest algo 8, begin of digest 8b c9 64 hashed subpkt 27 len 1 (key flags: 02) 65 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 66 hashed subpkt 2 len 4 (sig created 2021-09-18) 67 hashed subpkt 9 len 4 (key expires after 7y348d10h51m) 68 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 69 subpkt 32 len 540 (signature: v4, class 0x19, algo 1, digest algo 2) 70 data: [4096 bits] 71# off=4004 ctb=89 tag=2 hlen=3 plen=1129 72:signature packet: algo 1, keyid 9303B33A305224CB 73 version 4, created 1768556812, md5len 0, sigclass 0x18 74 digest algo 10, begin of digest 69 ab 75 hashed subpkt 27 len 2 (key flags: 02 04) 76 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 77 hashed subpkt 2 len 4 (sig created 2026-01-16) 78 hashed subpkt 9 len 4 (key expires after 12y104d12h6m) 79 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 80 subpkt 32 len 553 (signature: v4, class 0x19, algo 1, digest algo 10) 81 data: [4095 bits] 82# off=5136 ctb=b9 tag=14 hlen=3 plen=525 83:public sub key packet: 84 version 4, algo 1, created 1507241023, expires 0 85 pkey[0]: [4096 bits] 86 pkey[1]: [17 bits] 87 keyid: DAB71C6FBCD75257 88# off=5664 ctb=89 tag=2 hlen=3 plen=572 89:signature packet: algo 1, keyid 9303B33A305224CB 90 version 4, created 1631953913, md5len 0, sigclass 0x18 91 digest algo 8, begin of digest c8 28 92 hashed subpkt 27 len 1 (key flags: 0C) 93 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 94 hashed subpkt 2 len 4 (sig created 2021-09-18) 95 hashed subpkt 9 len 4 (key expires after 7y348d10h28m) 96 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 97 data: [4095 bits] 98# off=6239 ctb=89 tag=2 hlen=3 plen=572 99:signature packet: algo 1, keyid 9303B33A305224CB 100 version 4, created 1768556781, md5len 0, sigclass 0x18 101 digest algo 10, begin of digest 34 16 102 hashed subpkt 27 len 1 (key flags: 0C) 103 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 104 hashed subpkt 2 len 4 (sig created 2026-01-16) 105 hashed subpkt 9 len 4 (key expires after 12y104d11h42m) 106 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 107 data: [4095 bits] 108# off=6814 ctb=b9 tag=14 hlen=3 plen=525 109:public sub key packet: 110 version 4, algo 1, created 1507241176, expires 0 111 pkey[0]: [4096 bits] 112 pkey[1]: [17 bits] 113 keyid: 7651CCCB55BC4D56 114# off=7342 ctb=89 tag=2 hlen=3 plen=572 115:signature packet: algo 1, keyid 9303B33A305224CB 116 version 4, created 1631953914, md5len 0, sigclass 0x18 117 digest algo 8, begin of digest 90 8f 118 hashed subpkt 27 len 1 (key flags: 20) 119 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 120 hashed subpkt 2 len 4 (sig created 2021-09-18) 121 hashed subpkt 9 len 4 (key expires after 7y348d10h25m) 122 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 123 data: [4096 bits] 124# off=7917 ctb=89 tag=2 hlen=3 plen=572 125:signature packet: algo 1, keyid 9303B33A305224CB 126 version 4, created 1768556801, md5len 0, sigclass 0x18 127 digest algo 10, begin of digest dd 89 128 hashed subpkt 27 len 1 (key flags: 20) 129 hashed subpkt 33 len 21 (issuer fpr v4 A8FC55F3B04BA3146F3492E79303B33A305224CB) 130 hashed subpkt 2 len 4 (sig created 2026-01-16) 131 hashed subpkt 9 len 4 (key expires after 12y104d11h40m) 132 subpkt 16 len 8 (issuer key ID 9303B33A305224CB) 133 data: [4095 bits]Additionally, I’d suggest testing the updated key by running
contrib/verify-commits/verify-commits.pylocally.
This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-21 00:13 UTC
More mirrored repositories can be found on mirror.b10c.me