[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: repository uses weak digest algorithm (SHA1)



Hi Matthias,

I had a similar problem with my repository in stretch testing/unstable earlier this year. I had to change the reprepro (a repository manager) configuration to explicitly sign the repository and the release file. The key didn't need to be changed.

I've then searched for a way to make apt-get ignore or silent the warning with some setting in /etc/apt/apt.conf.d/ but I have found nothing. Maybe someone else knows how.

The only way to make the warning disappear was to update reprepro configuration as I did in my repository.

I guess you'll have to report this to Linux Mint team.

Em 04/08/2016 21:56, "Matthias Bodenbinder" <matthias@bodenbinder.de> escreveu:
>
> Hi,
>
> I have a weird signature issue with an LMDE Mint repository. I know that this is not pure debian but nevertheless I think my question is best posted here.
>
> The issue is: I have 4 PC and 1 laptop at home. All running LMDE2. When I do "apt-get update" the PCs have no issue. But the laptop says:
>
> # last 2 lines of "apt-get update" output
> W: http://linux-mint.froonix.org/dists/betsy/Release.gpg: Signature by key E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm (SHA1)
> W: http://extra.linuxmint.com/dists/betsy/Release.gpg: Signature by key E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm (SHA1)
> ##
>
> I reinstalled all keyring debs on the laptop.
>
>
>
> I am using the exact same sources on the laptop and the PCs (rsync of /etc/apt/sources.list*). During the last test I even rsync'ed all /etc/apt/trusted* to the laptop.
>
> I tried to fetch it via apt-key:
>
> ##
> # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E1A38B8F144675D060EA666F3EE67F3D0FF405B2
> Executing: /tmp/tmp.9xZlldxhO9/gpg.1.sh --keyserver
> keyserver.ubuntu.com
> --recv-keys
> E1A38B8F144675D060EA666F3EE67F3D0FF405B2
> gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
> gpg: key 0FF405B2: "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> ##
>
> But the laptop keeps throwing these signature warnings - and only the laptop. Why is that?
>
> Thank you for your help.
> Matthias
>
>


Reply to: