Ubuntu – reprepro: Signature by key uses weak digest algorithm (SHA1)

aptreprepro

I'm hosting some internal repositories using reprepro.

After the upgrade of the clients to Ubuntu 16.04, apt-get update gives a warning "InRelease: Signature by key … uses weak digest algorithm (SHA1)".

InRelease file starts like that:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So, reprepro has signed the InRelease file with a SHA1. How can I change it to SHA256 or SHA512?

Best Answer

You can fix this by modifying the ~/.gnupg/gpg.conf file of the user account which will be running reprepro and adding this line to the file digest-algo sha256. All signatures made with GPG by this user will use the SHA256 digest algorithm by default, thus, signatures made by reprepro will be sha256, as well.

If you want to learn more about GPG, APT, and Debian packages, I wrote a comprehensive blog post about signing and verifying Debian packages and APT repositories that may be helpful.

Related Solutions

Ubuntu – How to fix apt: Signature by key uses weak digest algorithm (SHA1)

The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.

You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.

You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.

The newer sudo apt update (notice it's just apt) does provide feedback about the results.

By using apt, you will either see a message that

All packages are up to date

The following packages will be upgraded:

Also see apt list --upgradeable.

Best Answer

Related Solutions

Ubuntu – How to fix apt: Signature by key uses weak digest algorithm (SHA1)

Related Question