Bug#850839: apt: insufficient information about untrusted hash algorithm
Package: apt
Version: 1.4~beta2
Severity: wishlist
Hi, I have struggled a pretty long time trying to find out why Debian
stretch would complain about our private package repository, while it
works perfectly well on Debian jessie and below. The symptom was this:
# apt-get update
Hit:1 http://ftp.debian.xs4all.net/debian stretch InRelease
Hit:2 http://ftp.debian.xs4all.net/debian stretch-updates InRelease
Hit:3 http://security.debian.org stretch/updates InRelease
Get:4 https://dpkg.xs4all.net stretch InRelease [4061 B]
Err:4 https://dpkg.xs4all.net stretch InRelease
The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
Fetched 4061 B in 0s (7711 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dpkg.xs4all.net stretch InRelease: The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
W: Failed to fetch https://dpkg.xs4all.net/dists/stretch/InRelease The following signatures were invalid: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
W: Some index files failed to download. They have been ignored, or old ones used instead.
I first had to "apt-get update -o Debug::Acquire::gpgv=true" to find this:
Read: [GNUPG:] VALIDSIG D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741 2017-01-09 1483967529 0 4 0 1 2 01 D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
Got untrusted VALIDSIG, key ID: D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741
gpgv exited with status 0
And then I read gnupg/g10/mainproc.c and apt/methods/gpgv.cc
to find out that it is probably the SHA-1 digest algorithm apt
doesn't like, which led me to the relative simple fix found on
https://debian-administration.org/users/dkg/weblog/48
Please make it easier to debug this kind of problem, or better: make
apt just say what the problem is. When I later configured our private
repo on Ubuntu xenial, it just told me exactly what the problem was:
Reading package lists... Done
W: https://dpkg.xs4all.net/dists/xenial/InRelease: Signature by key D9EB3929A1511F1F9B0D47D2D16BDC99BCA6F741 uses weak digest algorithm (SHA1)
Regards,
Robert Scheer.
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/preferences.d/puppet.pref present, but not submitted) --
-- (/etc/apt/sources.list present, but not submitted) --
-- (/etc/apt/sources.list.d/debian.list present, but not submitted) --
-- (/etc/apt/sources.list.d/debian_security.list present, but not submitted) --
-- (/etc/apt/sources.list.d/debian_updates.list present, but not submitted) --
-- (/etc/apt/sources.list.d/xs4all.list present, but not submitted) --
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.115
ii debian-archive-keyring 2014.3
ii gpgv 2.1.17-2
ii init-system-helpers 1.46
ii libapt-pkg5.0 1.4~beta2
ii libc6 2.24-8
ii libgcc1 1:6.2.1-5
ii libstdc++6 6.2.1-5
Versions of packages apt recommends:
ii gnupg 2.1.17-2
Versions of packages apt suggests:
pn apt-doc <none>
pn aptitude | synaptic | wajig <none>
ii dpkg-dev 1.18.18
pn powermgmt-base <none>
pn python-apt <none>
-- no debconf information
Reply to: