Debian repository: policy will reject signature within a year: SHA1 is not considered secure

apt is unhappy about the signing key, as shipped by deb.torproject.org-keyring, used for signing Debian packages. This is apt 3.0.1 on Debian "trixie" which is to be released later this year.

$ apt update
...                                              
Hit:7 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org trixie InRelease                                                         
Fetched 303 kB in 8s (36.9 kB/s)                                                                                                                                        
All packages are up to date.    
Warning: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details

Details when using --audit:

Audit: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/dists/trixie/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
   Signing key on A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 is not bound:
              Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance
     because: SHA1 is not considered secure since 2026-02-01T00:00:00Z

The policy:

$ cat /usr/share/apt/default-sequoia.config
# Default APT Sequoia configuration. To overwrite, consider copying this
# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the
# desired values.
[asymmetric_algorithms]
dsa2048 = 2024-02-01
dsa3072 = 2024-02-01
dsa4096 = 2024-02-01
brainpoolp256 = 2028-02-01
brainpoolp384 = 2028-02-01
brainpoolp512 = 2028-02-01
rsa2048  = 2030-02-01

[hash_algorithms]
sha1.second_preimage_resistance = 2026-02-01    # Extend the expiry for legacy repositories
sha224 = 2026-02-01

[packets]
signature.v3 = 2026-02-01   # Extend the expiry