Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use strong digest for Debian packages #43

Open
007 opened this issue Oct 3, 2016 · 3 comments
Open

Use strong digest for Debian packages #43

007 opened this issue Oct 3, 2016 · 3 comments

Comments

@007
Copy link

007 commented Oct 3, 2016

When running apt update on Ubuntu 16.04 a warning message is displayed:

W: http://apt.gemnasium.com/dists/stable/Release.gpg: Signature by key 0D6C9B7583A02B8642898D3AE5CEAB0AC5F1CA2A uses weak digest algorithm (SHA1)

user@user-laptop:~$ cat /etc/apt/sources.list.d/gemnasium.list 
deb http://apt.gemnasium.com stable main
user@user-laptop:~$ sudo apt update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release
Hit:4 http://us.archive.ubuntu.com/ubuntu xenial InRelease                                     
Hit:5 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease                            
Hit:6 http://security.ubuntu.com/ubuntu xenial-security InRelease                              
Hit:7 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease                           
Ign:8 http://apt.gemnasium.com stable InRelease                          
Hit:9 http://apt.gemnasium.com stable Release      
Hit:11 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Reading package lists... Done 
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: http://apt.gemnasium.com/dists/stable/Release.gpg: Signature by key 0D6C9B7583A02B8642898D3AE5CEAB0AC5F1CA2A uses weak digest algorithm (SHA1)

http://askubuntu.com/a/764981 has more details, with a link to the Debian wiki on the subject noting that they will be changing that to an error starting in January 2017.

To fix the problem, from the wiki:

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

I would attempt a PR, but I'm not familiar with Go's package builder, and from e3bb01a it's not entirely clear where the build scripts / dependencies are coming from - possibly dh or possibly outside the repo entirely?
@YtvwlD
Copy link

YtvwlD commented Oct 7, 2017

I'm getting the following when running apt update on Ubuntu 17.04:

W: GPG error: https://apt.gemnasium.com stable Release: The following signatures were invalid: 0D6C9B7583A02B8642898D3AE5CEAB0AC5F1CA2A
E: The repository 'https://apt.gemnasium.com stable Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

If I download Release and Release.gpg and validate it manually, it's fine.

I think this may be caused by the old digest algorithm.

@gravis
Copy link
Member

gravis commented Oct 7, 2017

Hi, sorry for that, we will fix this in the coming week.
Thanks

@groulot
Copy link
Contributor

groulot commented Oct 9, 2017

Hello,

we updated our APT repository to use a more secure SHA. It should work now. (tested on Ubuntu 16.04, 17.04 and 17.10)

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gravis @007 @groulot @YtvwlD