Have securedrop-admin reject Submission Keys with SHA-1 signatures

[legoktm]

Description

securedrop-admin should reject Submission Keys that have SHA-1 signatures

https://sequoia-pgp.org/blog/2023/02/01/202302-happy-sha1-day/

We should install sq-keyring-linter as part of the Tails Admin Workstation setup, and then check the key in https://github.com/freedomofpress/securedrop/blob/develop/admin/bin/validate-gpg-key.sh, erroring if it fails the linter

[rocodes]

We currently run all the pubkeys (submission key, ossec alert key, journalist key if applicable) through our validation script.

Question for team: Should we fail on any key using SHA-1 in its binding signature, or just on the Submission Key?

[zenmonkeykstop]

IMO it would make sense to apply across the board.

[legoktm]

Agreed, I think we should fail all SHA-1 signed keys. Yes, GPG will still accept them, but they're bad and we should discourage their use. Plus it should be easier to rotate OSSEC + journalist keys vs the submission key since they're not public facing.

[zenmonkeykstop]

If we can get sq-keyring-linter added in an upcoming Tails base version - would it make sense to defer this change until then?