SHA-1 GPG keys are deprecated, request to update GPG-keys

What is the problem you are having with rclone?

Verifying SHA256SUMS failes if "weak-digest SHA1" is set in gpg.conf

SHA-1 GPG keys are deprecated.

Run the command 'rclone version' and share the full output of the command.

Rclone is not installed yet.

Command 'rclone' not found, but can be installed with:
sudo apt install rclone

Which cloud storage system are you using? (eg Google Drive)

none

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone copy --http-url https://downloads.rclone.org/v1.69.0 :http:SHA256SUMS
rclone copy --http-url https://downloads.rclone.org/v1.69.0 :http:rclone-v1.69.0-linux-amd64.deb
gpg --verify SHA256SUMS
gpg: Signature made Sun Jan 12 15:59:24 2025 UTC
gpg: using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA
gpg: Note: signatures using SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm

Describe the solution you'd like

I would like that Rclone GPG keys would be updated to SHA-256 (or SHA-512) algorithm. SHA256SUMS (and SHA1SUMS) in the download section would be signed with this new key.

As per your link:

... for the standard use of GnuPG, the signature based on SHA-1 are still fine. To be prepared for future developments, GnuPG is moving forward and some defaults have been changed to prefer SHA-256 over SHA-1. If in a few years the installed code base of modern GnuPG versions is large enough we are prepared to deprecate SHA-1 then.

So please do not spread FUD.

I guess you are using hardened custom settings. Here you are results with gpg using defaults:

$ gpg --verify SHA256SUMS
gpg: Signature made Sun Jan 12 16:59:24 2025 CET
gpg:                using DSA key FBF737ECE9F8AB18604BD2AC93935E02FF3B54FA
gpg: Good signature from "Nick Craig-Wood <nick@craig-wood.com>" [full]

But thank you for keeping an eye on this - at some stage it should be indeed upgraded.