[BUG] GPG key not valid with apt 2.9.21

[Glandos]

Describe the bug
With APT 2.9.21, the GPG key from https://packagecloud.io/go-graphite/stable/gpgkey isn't accepted anymore

Logs
Err :6 https://packagecloud.io/go-graphite/stable/debian bookworm InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 40B29610C48DA4E2152C4E5FA3C7D6C388AEDEA5 is not bound: primary key because: No binding signature at time 2023-11-09T12:47:22Z because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance because: SHA1 is not considered secure since 2013-02-01T00:00:00Z

Go-carbon Configuration:
N/A

Metric retention and aggregation schemas
N/A

Simplified query (if applicable)
N/A

Additional context
APT is now using sqv instead of gnupg. There is a workaround for accepting SHA1, but it should be changed anyway

[deniszh]

@Civil : maybe we need to regenerate packagecloud keys? I have no admin access there. Could you please do that?

[Civil]

@deniszh their open-source plan is weird, they are managing the keys (at least it seems so), but there is no button to regenrate them. For paid plans they allows you to upload your own keys to sign, but that is way too expensive in my opinion.

[Glandos]

Did you find a way to fix or workaround this?
The new release of carbonapi is not easily installable without it.

[deniszh]

I'm afraid packagecloud.io have no viable alternatives.
@Civil : could you please ping packagecloud support maybe?
@Glandos - you probably can do the same as end user too.
Please take note that current pipeline still have issues and I'm not sure if it'll build and / or upload any packages.
Alternatively we can ditch it out completely and just upload packages to GitHub release page, like we doing for go-carbon, for example.

[Civil]

@deniszh well, we can either migrate to our own GPG key for signing the metadata and packages (they allow uploading gpg public key and providing that) with all the migration pain that it would cause or just indeed ditch it and upload packages to github release page or host our own repo somewhere (setting up something like Pulp at colo is an option, with all the problems that comes with that).