Comment 10 for bug 1461834

APT currently rejects all non-SHA2 hashes, which excludes 1024 bit DSA keys (the only 1024 bit keys in use, really). All repositories were told to update to 2048 or 4096 bit RSA keys.

GPG does not provide a way for APT to validate key lengths when the signature is verified, so we did all we could do here. Any future change needs to be made in gpg (reject all DSA/RSA keys less than 2048 bit).