On Fri, Apr 01, 2016 at 09:16:47AM +0200, Hans wrote:
Hi folks, I have added a trustworthy repository and signed it with the key, But I get a warning: aptitude update Treffer http://apt.metasploit.com sid InRelease Holen: 1 ftp://ftp.de.debian.org/debian stable InRelease Ign ftp://ftp.de.debian.org/debian stable InRelease Treffer http://security.debian.org stable/updates InRelease Treffer ftp://ftp.de.debian.org/debian testing InRelease Treffer ftp://ftp.de.debian.org/debian stable Release W: http://apt.metasploit.com/dists/sid/InRelease: Signature by key 09E55FAF4F7862CD6D558997CDFB5FA52007B954 uses weak digest algorithm (SHA1) So, what did I do wrong? Did I sign with the wrong key?
If you run the repository at apt.metasploit.com then, according to https://wiki.debian.org/Teams/Apt/Sha1Removal you need "to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file".
If you're only wanting to USE the repository there, then you don't need to sign the key at all. apt doesn't use the "web of trust" for its keys. So long as it knows about the key (using 'apt-key add' for example) then it trusts it. In this case, there is nothing you can do until the maintainer re-signs the repository. (Well, if you like, you can add the repository to the list of known-broken repositories at the above wiki page).
Thanks for any information. Best regards Hans
-- For more information, please reread.
Attachment:
signature.asc
Description: PGP signature