I publish a Debian repository. It was signed with a 4096-bit GPG key, and has been merrily in use from Debian 7 and Debian 8 systems for some time. Recently, one of my users reported that Debian 9 was having problems with it. Specifically, apt-get update was yielding:
Reading package lists... Done W: GPG error: http://Debian-repository.JdeBP.info. stable InRelease: The following signatures were invalid: A71733F3CEBD655CB25A0DDCE1E3A497555CE68F W: The repository 'http://Debian-repository.JdeBP.info. stable InRelease' is not signed.
Note that unlike the people at "Repo APT secure – apt-get update GPG signature were invalid" and "Frustrated with aptly and GPG signing" I am not using aptly. So clearly I am not suffering from an aptly bug of any kind. (-:
So what is the problem?
Best Answer
The cause of the problem is that with no update to the Debian wiki or other similar doco, and pretty much only a couple of largely Ubuntu-related announcements on a non-Debian personal WWW site, support for keys that state a preference for SHA-1 encryption has been turned off in APT as of Debian 9. (Specifically, it was turned off in APT version 1.4~beta1, and Debian 9 has version 1.4.7.)
So a repository publisher needs to do two things:
personal-digest-preferencesandpersonal-cipher-preferencesin$HOME/.gnupg/gpg.confto eliminate SHA-1 from one's GPG preferences. This prevents the problem coming back with new keys.gpg --edit-key "${key_fingerprint}"substituting the appropriate key fingerprint, then edit the key preferences with theprefandsetprefcommands, then save the key to the keyring.Note that it is not necessary to generate a new signing key, and that the updated key with SHA-1 removed will continue to interoperate with the older Debian 8 APT.
Further reading