#1551 Issue `closed`: Debian 9 sha1 digest untrusted for apt¶

Labels: enhancement, fixed / solved / done

tes-staiger opened issue at 2017-10-27 06:57:¶

On debian stretch installation fails with
W: GPG error: http://download.opensuse.org/repositories/Archiving:/Backup:/Rear/Debian_9.0 Release: The following signatures were invalid: F532523ADE4BBF1CBFF6523F6B7485DB725A0C43

This is because repositories may not be signed with sha1 algorithm (to weak).
The packages need to be signed with sha256 or sha512.
For this also a new key is needed as dsa is not supported any more.

For details see:
https://wiki.debian.org/Teams/Apt/Sha1Removal

jsmeix commented at 2017-10-27 08:18:¶

I am neither a Debian user nor a Debian packager
so that I know nothing about Debian specific things
in particular nothing at all about possibly Debian
specific signing or Debian specific keys.

Perhaps
https://github.com/rear/rear/issues/1255#issuecomment-299871881
is somehow related?

gdha commented at 2017-10-27 12:37:¶

@jsmeix I think that is an OBS issue as to my knowledge all packages build on OBS suffer from this. However, no clue how we can fix this?

jsmeix commented at 2017-10-27 12:51:¶

@gdha
see
https://github.com/rear/rear/issues/1255#issuecomment-299871881
why I don't think it is about a OBS key so that I think
it is not an issue in OBS but something Debian specific
because we only get such issue reports about
the packages for Debian.

gdha commented at 2017-10-27 13:46:¶

@jsmeix You are right it is not OBS fault, but ours. In #1255 I added the evidence of key-signing. Perhaps, it will work better now?

gdha commented at 2017-11-17 13:53:¶

@jsmeix Indeed my problems have been fixed now:

wget -q -O - download.opensuse.org/repositories/Archiving:/Backup:/Rear:/Snapshot/xUbuntu_16.04/Release.key | apt-key add -
# OK

[Export of Github issue for rear/rear.]

#1551 Issue closed: Debian 9 sha1 digest untrusted for apt¶