All major OpenPGP implementations have been able to support digests from the SHA-256 family for over 5 years now. GnuPG has had support in a development version since 1.3.3 (released in 2003) and stable version support since 1.4.0, which was part of debian since Feb 2005 (over 6 years ago), which was in etch (old oldstable).
While debian shouldn't base our decisions solely on requirements of the US Government, it's also interesting to note that NIST has forbidden government agencies from relying on SHA-1 for digital signatures after the end of 2010. Arguably, this makes debian unfit for use within the US Gov't (though i suspect that many other portions of their infrastructure already fail to meet these standards, given the overwhelming number of SHA1-based X.509 certificates used by web servers today). If there really is a wish to support particularly ancient OpenPGP clients, you could make two certifications over the same data, one with SHA1 and the other with SHA256 (though this might present other surprises if legacy clients only expect one OpenPGP signature packet per signature file). I think it would be a good idea to us SHA256 for the APT repository signatures. --dkg [0] http://securitymusings.com/article/1587/algorithm-and-key-length-deprecation and particularly pages 65-68 of http://www.csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
signature.asc
Description: OpenPGP digital signature