message "The repository is insufficiently signed by key (weak digest)" is poorly worded

Bug #1558331 reported by Michael Marley on 2016-03-17
914
This bug affects 199 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
High
Unassigned

Bug Description

The title pretty much says it all.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Gérard Bigot (gerard-bigot) wrote :

google chrome repositories is one of the other.

It looks like SHA1 signing keys has been deprecated : https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/

Please at least add SHA2 in PPAs.

dino99 (9d9) wrote :

Explanations about the 1.2.7 changelog:

https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/

Indeed that message is now uselessly worrying users. Please silence that "104 warning message"; it will only scared the community.

tags: added: xenial
Michael Marley (mamarley) wrote :

Hmm, it looks like the combination of the warnings and errors may be especially confusing. I have several PPAs and the Google Chrome repository on my system. The PPAs have the packages themselves signed with SHA256, but the GPG key is only SHA1. These repositories should work, but display an error message after an "aptitude update". The packages in the Chrome repository are signed only with SHA1, so those won't work at all, producing an error message. However, Synaptic displays all the warnings and errors together and says that it is an Error, which tricked me into thinking that none of the repositories would work.

Obviously, the PPAs need to be updated to use a stronger key. I can't see any way to do this manually though.

dino99 (9d9) wrote :

@ Michael

i've not tried your ppas, but canonical-x one, and the upgraded packages can be loaded as expected, even if the error is shown (as explained into #3 link).

On your side, to upgrade your ppas, i suppose you need to: 1) purge the actual key(s), 2) build new one(s) with sha2 to please the new apt.

dino99 (9d9) wrote :

@Michael

i've activated your 'staging' ppa , and i confirm the pachage (plasma) is not loaded as it should (synaptic used)

Michael Marley (mamarley) wrote :

I know that the PPAs need new keys, but it is not obvious how to do that. After extensive searching, I still cannot figure out how to do that.

Colin Watson (cjwatson) wrote :

No, the PPAs don't need new keys - we just need to upgrade the digest algorithm used for signing. See the bug of which I've just marked this as a duplicate.

Colin Watson (cjwatson) wrote :

Actually, I guess this may not be a duplicate because there may be other third-party repositories that need to do similar things (signing with --digest-algo SHA512 or the equivalent). But see bug 1556666 for the PPA case.

Trent Lloyd (lathiat) wrote :

I have 6 external repos configured, and all 6 fire the warning.

If nothing else, the warning really needs to be re-worded. "insufficiently signed" and then (weak digest) at the end is not very straight forward.

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_js-reynaud_kicad-4_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 5F1E4C625E24069D9072394F83FBAD2D910F124E (weak digest)

deb http://downloads.hipchat.com/linux/apt stable main
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
deb http://ppa.launchpad.net/js-reynaud/kicad-4/ubuntu xenial main
deb http://ppa.launchpad.net/nilarimogard/webupd8/ubuntu wily main
deb http://repo.steampowered.com/steam/ precise steam
deb http://ppa.launchpad.net/webcamstudio/webcamstudio-dailybuilds/ubuntu xenial main

I'm having the same issue with the google talk plugin, remmina, shutter, and variety:

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_peterlevi_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 876E675CB1AABA3494F27BA6C45A53C1A546BE4F (weak digest)
W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB82976DCA040830F7FAC5991 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_remmina-ppa-team_remmina-next_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 04E38CE134B269B9F38F82EE8A993C2521C5F0BA (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_shutter_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 5017D4931D0ACADE295B68ADFC6D8D9D009ED615 (weak digest)
W: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

Can someone please set this bug to the highest reasonable importance?

summary: - After upgrading to apt 1.2.7 in Xenial, PPAs and most other third-party
- repositories become unusable with "The repository is insufficiently
- signed by key (weak digest)"
+ message "The repository is insufficiently signed by key (weak digest)"
+ is poorly worded
Changed in apt (Ubuntu):
importance: Undecided → High
Rich Bos (rb-i) wrote :

Confirming the bug here, I have the following on my server -

W: gpgv:/var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_vivid_InRelease: The repository is insufficiently signed by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_jpsutton_cockpit_ubuntu_dists_vivid_InRelease: The repository is insufficiently signed by key 7B6B809DC0F2DEF09DE284E6BB3BA55A3E4F2C0C (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_java_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
W: gpgv:/var/lib/apt/lists/webmin.mirror.somersettechsolutions.co.uk_repository_dists_sarge_Release.gpg: The repository is insufficiently signed by key 1719003ACE3E5A41E2DE70DFD97A3AE911F63C51 (weak digest)
W: gpgv:/var/lib/apt/lists/pkg.jenkins-ci.org_debian_binary_Release.gpg: The repository is insufficiently signed by key 150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6 (weak digest)
W: gpgv:/var/lib/apt/lists/download.webmin.com_download_repository_dists_sarge_Release.gpg: The repository is insufficiently signed by key 1719003ACE3E5A41E2DE70DFD97A3AE911F63C51 (weak digest)

heiko (heikosch) wrote :

Confirming the bug here, I have the following on my machine:
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_git-core_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key E1DD270288B4E6030699E45FA1715D88E1DF1F24 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_gnome3-team_gnome3_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 9D542E3D52C801D9F8E31682F1773AF13B1510FD (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_themes_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_numix_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 43E076121739DEE5FB96BBED52B709720F164EEB (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_earth_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_otto-kesselgulasch_gimp-edge_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key FB97E9C3A97F85C095AEA7903BDAAC08614C4B38 (weak digest)

Julian Andres Klode (juliank) wrote :

For further information on the topic, take a look at the upstream wiki page tracking broken repositories and explaining the two levels of brokenness:

https://wiki.debian.org/Teams/Apt/Sha1Removal

Feel free to add other repositories there.

@heiko: The PPAs are pending, but WRT Google Earth: There was no new release in the repository since Thu, 19 May 2011 16:50:30 +0000 (6.0.3.2197-r0 is the most recent in there) - it might be a good idea to delete the source.

Ironically, I tried to install some debug symbols today and also got these messages:

W: gpgv:/var/lib/apt/lists/partial/ddebs.ubuntu.com_dists_xenial_Release.gpg: The repository is insufficiently signed by key 2512191FEF8729D6E5AF414DECDCAD72428D7C01 (weak digest)

Cavsfan (cavsfan) wrote :

I can confirm that I've been seeing this the past couple of days too:
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_themes_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_teejee2008_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 1B32B87ABAEE357218F6B48CB5B116B72D0F61F0 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_java_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
W: gpgv:/var/lib/apt/lists/deb.opera.com_opera-stable_dists_stable_InRelease: The repository is insufficiently signed by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 (weak digest)

I do know that these are just warnings, but will confuse some people.

Changed in apt (Ubuntu):
assignee: nobody → trebor271074 (trebor271074)
dino99 (9d9) on 2016-03-21
Changed in apt (Ubuntu):
assignee: trebor271074 (trebor271074) → nobody
Springbank (springbank) wrote :

Same bug here:
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_gnumdk_lollypop_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 8FAD14A04A8E87F23FB5653BDBA501177AA84500 (weak digest)
W: gpgv:/var/lib/apt/lists/repository.spotify.com_dists_stable_InRelease: The repository is insufficiently signed by key BBEBDCB318AD50EC6865090613B00F1FD2C19886 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_linrunner_tlp_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 2042F03C5FABD0BA2CED40412B3F92F902D65EFF (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_mc3man_mpv-tests_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 8E51A6D660CD88D67D65221D90BD7EACED8E640A (weak digest)

BlackMage (blackmage) wrote :

Same here:
W: gpgv:/var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_wily_InRelease: The repository is insufficiently signed by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_cdemu_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key AFDF4CC6A4F32AA9395FAE8F423A2125D782A00F (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_ehoover_compholio_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 99ED08A0FCA332C7BD045B6A497A0F381F691896 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_mamarley_quassel-git_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A0D47AB4E99FF9F9C0EA949A26F4EF8440618B66 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_mozillateam_thunderbird-next_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 0AB215679C571D1C8325275B9BDB3D89CE49EC21 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_xorg-edgers_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 165D673674A995B3E64BF0CF4F191A5A8844C542 (weak digest)

Achim Behrens (k1l) wrote :

I dont think this is a bug. The wording says what the issue is. The Key used is only sha1 which is considered too weak. The ones using that old Keys should fix their repos and make proper signing.

Jose Barakat (josebarakat) wrote :
Download full text (3.2 KiB)

Many repositories are affected:

As already reported, Google's repos and:

AppGrid
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_appgrid_stable_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key F9A8B020F741A5B52B888A88241FE6973B765FAE (weak digest)

Intel Graphics
W: gpgv:/var/lib/apt/lists/download.01.org_gfx_ubuntu_15.10_main_dists_wily_InRelease: The repository is insufficiently signed by key 6C82391DC41365FB56EC3CE4A496EB03894A3A8D (weak digest)

Dolphin Emulator
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_dolphin-emu_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key FF0A61D519AE6B0E59B3E6B6FDBD34A8869BF237 (weak digest)

PCSX2 Emulator
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_gregory-hainaut_pcsx2.official.ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A36D8D60D79F0F65D2B81421508A982D7A617FF4 (weak digest)

Libretro Retroarch
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_libretro_stable_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 3B2BA0B6750986899B189AFF18DAAE7FECA3745F (weak digest)

Clementine (Media Player)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_me-davidsansome_clementine-dev_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7A467ADCBEE1FFC8CD8B784B4F172854044A3B98 (weak digest)

WebUpd8
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_nilarimogard_webupd8_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 1DB29AFFF6C70907B57AA31F531EE72F4C9D234C (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_java_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_y-ppa-manager_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)

Variety
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_peterlevi_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 876E675CB1AABA3497F27BA6C45A53C1A546BE4F (weak digest)

PPSSPP Emulator
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_ppsspp_testing_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7E29D1156F92A53C89195AC6DB9510F6ED0F784C (weak digest)

KODI / XBMC
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_team-xbmc_unstable_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 189701DA570C56B9488EF60A6D975C4791E7EE5E (weak digest)

Tony George PPA
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_teejee2008_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 1B32B87ABAEE357218F6B48CB5B116B72D0F61F0 (weak digest)

Freshlight
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_colingille_freshlight_ubuntu_dists_vivid_Release.gpg: The repository is insufficiently signed by key 3764AB961B292804CD3474FAEAE2E8E7CB7F5C71 (weak digest)

gstreamer0.10-ffmpeg
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_mc3man_gstffmpeg-keep_ubuntu_dists_vivid_Release.gpg: The repository is insufficiently signed by key 8E51A6D...

Read more...

psamuel (persaudsamuel) wrote :

Estoy presentando el mismo inconveniente con estas ppa
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_atareao_telegram_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A3D8A366869FE2DC5FFD79C36A9653F936FD5529 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_libreoffice_libreoffice-prereleases_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 36E81C9267FD1383FCC4490983FBA1751378B444 (weak digest)
W: gpgv:/var/lib/apt/lists/download.ebz.epson.net_dsc_op_stable_debian_dists_lsb3.2_Release.gpg: The repository is insufficiently signed by key E5220FB7014D0FBDA50DFC2BE5E86C008AA65D56 (weak digest)
W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_phalcon_stable_ubuntu_dists_wily_InRelease: The repository is insufficiently signed by key 098DD12808F67757EC9CA5B72A763BCD1E569794 (weak digest)
W: gpgv:/var/lib/apt/lists/partial/ppa.launchpad.net_webupd8team_sublime-text-3_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
W: gpgv:/var/lib/apt/lists/partial/ppa.launchpad.net_webupd8team_y-ppa-manager_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
W: gpgv:/var/lib/apt/lists/partial/ppa.launchpad.net_webupd8team_tor-browser_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)

otto06217 (otto-kesselgulasch) wrote :

Hi,

I'm just uploaded new gegl and gimp packages. to my PPA - ppa:otto-kesselgulasch/gimp-edge new gegl and gimp packages.
After building I don't had no trouble anymore with apt-get update and apt-get upgrade.

I added

"personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"

to my gpg.conf before debuild -S -sd

I hope this helps.

Colin Watson (cjwatson) wrote :

Yes, see my most recent comment in bug 1556666 for the current state of things with regard to ppa.launchpad.net.

All PPAs I have, on the site launchpad says are compatible with Ubuntu 16.04

W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_libreoffice_libreoffice-5-1_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 36E81C9267FD1383FCC4490983FBA1751378B444 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_maarten-baert_simplescreenrecorder_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4DEDB3E05F043CA185176AC0409C8B51283EC8CD (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_otto-kesselgulasch_gimp_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key FB97E9C3A97F85C095AEA7903BDAAC08614C4B38 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_sunab_kdenlive-release_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 6976C1CEB06586061C2C0472B5115B98AA836CA8 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_atom_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_java_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)

Only Megasync I downloaded the deb

W: gpgv:/var/lib/apt/lists/mega.nz_linux_MEGAsync_xUbuntu%5f15.04_._Release.gpg: The repository is insufficiently signed by key BF8B66E01192CBA2E72201294B4E7A9523ACD201 (weak digest)

Re-add the PPAs.

On Wed, Mar 23, 2016 at 9:15 PM, Flávio Oliveira
<email address hidden> wrote:
> All PPAs I have, on the site launchpad says are compatible with Ubuntu
> 16.04
>
> W:
> gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg:
> The repository is insufficiently signed by key
> 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
>
> W:
> gpgv:/var/lib/apt/lists/ppa.launchpad.net_libreoffice_libreoffice-5-1_ubuntu_dists_xenial_InRelease:
> The repository is insufficiently signed by key
> 36E81C9267FD1383FCC4490983FBA1751378B444 (weak digest)
>
> W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_maarten-
> baert_simplescreenrecorder_ubuntu_dists_xenial_InRelease: The
> repository
> is insufficiently signed by key
> 4DEDB3E05F043CA185176AC0409C8B51283EC8CD
> (weak digest)
>
> W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_otto-
> kesselgulasch_gimp_ubuntu_dists_xenial_InRelease: The repository is
> insufficiently signed by key FB97E9C3A97F85C095AEA7903BDAAC08614C4B38
> (weak digest)
>
> W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_sunab_kdenlive-
> release_ubuntu_dists_xenial_InRelease: The repository is
> insufficiently
> signed by key 6976C1CEB06586061C2C0472B5115B98AA836CA8 (weak digest)
>
> W:
> gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_atom_ubuntu_dists_xenial_InRelease:
> The repository is insufficiently signed by key
> 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
>
> W:
> gpgv:/var/lib/apt/lists/ppa.launchpad.net_webupd8team_java_ubuntu_dists_xenial_InRelease:
> The repository is insufficiently signed by key
> 7B2C3B0889BF5709A105D03AC2518248EEA14886 (weak digest)
>
>
> Only Megasync I downloaded the deb
>
> W:
> gpgv:/var/lib/apt/lists/mega.nz_linux_MEGAsync_xUbuntu%5f15.04_._Release.gpg:
> The repository is insufficiently signed by key
> BF8B66E01192CBA2E72201294B4E7A9523ACD201 (weak digest)
>
> --
> You received this bug notification because you are subscribed to the
> bug
> report.
> https://bugs.launchpad.net/bugs/1558331
>
> Title:
> message "The repository is insufficiently signed by key (weak
> digest)" is poorly worded
>
> Status in apt package in Ubuntu:
> Confirmed
>
> Bug description:
> The title pretty much says it all.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1558331/+subscriptions

Søren Holm (sgh) wrote :

I tried that already with no luck.

Shuhao (shuhao) wrote :

If I have my own ppa, do I need to do anything? It's not 100% clear in this thread.

Colin Watson (cjwatson) wrote :

You do not need to do anything if you have your own PPA. Furthermore, people do not need to keep reporting individual PPAs that are signed with weak digests. We'll fix them in bulk, hopefully quite soon (still working on the last bits of code for that).

Julian Andres Klode (juliank) wrote :

After a lot of further input, the text was changed in APT 1.2.8 to read:

W: http://example.com/InRelease: Signature by key 0123456789ABCDEF0123456789ABCDEF01234567 uses weak digest algorithm (SHA1)

The other message:

W: Failed to fetch http://example.com/InRelease No Hash entry in Release file /var/lib/apt/lists/partial/example.com_InRelease, which is considered strong enough for security purposes

now has an E in front of it:

E: Failed to fetch http://example.com/InRelease No Hash entry in Release file /var/lib/apt/lists/partial/example.com_InRelease, which is considered strong enough for security purposes

This should hopefully clarify things and be less annoying.

Colin Watson (cjwatson) wrote :

On Thu, Mar 24, 2016 at 09:16:22PM -0000, Julian Andres Klode wrote:
> E: Failed to fetch http://example.com/InRelease No Hash entry in Release
> file /var/lib/apt/lists/partial/example.com_InRelease, which is
> considered strong enough for security purposes

Could you please drop that comma while you're here? Unlike German, it
modifies the meaning in English in a way that doesn't make sense: it
implies that there is no Hash entry (should that be lower-case instead?)
at all, and that this situation is considered strong enough for security
purposes. That's obviously nonsensical, and removing the comma so that
the relative clause is restrictive rather than non-restrictive fixes the
grammar.

David Kalnischkies (donkult) wrote :

We had the intention (#818639) but forgot it then so only zh_CN was fixed in 1.2.8 … I commited the comma-drop now [I would like to claim that this comma makes perfect sense in German but even there it is a bit strange].

Đorđe (djole94hns) wrote :

Considering Debian doesn't allow new account creation on it's Wiki, I'll just post it here so someone else can add it to their list:

RAVEfinity PPA

gpgv:/var/lib/apt/lists/ppa.launchpad.net_ravefinity-project_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key AB3C11871E5ADDD637F8BAA89B0BBF00E2D0EBE9 (weak digest)

Mark Duncan (eattheapple) wrote :

Cannot install Hipchat either

W: Failed to fetch https://atlassian.artifactoryonline.com/atlassian/hipchat-apt-client/dists/xenial/Release No Hash entry in Release file /var/lib/apt/lists/partial/atlassian.artifactoryonline.com_atlassian_hipchat-apt-client_dists_xenial_Release, which is considered strong enough for security purposes

Mark Duncan (eattheapple) wrote :

Is there a way to force my system to accept these keys anyway? I'd much prefer to be warned that this is using a less secure hash rather than being blocked from accessing these repos.

Mathieu Comandon (strycore) wrote :

IMO, this verification and error message needs to be removed from Xenial before it ships in April.
Right now, all major external repositories have not made the switch from SHA1, not even PPAs hosted by Canonical itself.

The graphical updater shows a cryptic and unhelpful error message (Check your Internet connection.) because of this and I cannot imagine the amount of confusion that will ensue following Xenial's release if this is not reverted. I've seen *very frequently* people come at LUGs totally confused and thinking their Ubuntu install is broken because of very similar issues.

I personally have an external repository hosted on openSUSE Build Service which is unusable right now on Xenial because of this. I had to find out about the upgrade from SHA1 to SHA2 as a regular user and not as a repository maintainer, and even if I wanted to do something about it, I can't because it's openSUSE's responsibility to do it. The exact same thing is true for everyone using PPAs on Launchpad.

A bunch of warnings should not result in an error (E: Some index files failed to download. They have been ignored, or old ones used instead.) and it should totally NOT tell non technical users to "Check their Internet connection"!
SHA1 was OK for a good number of years amd all of a sudden, it becomes so insecure that it should break user's installs? While it is perfectly valid to switch to the superior, more secure SHA2, this migration should NOT be done in such a brutal way, at the expense of normal users and without any kind of notification to external package maintainers.

If SHA1 isn't accepted alongside SHA2 without any repercussions for normal users for at least the next couple years, the result *will be disastrous*.

Mathieu Comandon (strycore) wrote :

Turns out that the issue is not as bad as I thought it was. The error message was due to a single repo and not all the repos showing warnings. Removing it got rid of the error message in both the terminal and the GUI updater. The affected repo was the Google Talk Plugin:

W: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purpose

Since these kind of repos will produce an error, wouldn't it be appropriate to raise the severity from Warning to Error?

Paul Loughman (snowhog) wrote :

I did a Google search on " " and found this old (2009) article from Debian concerning the algorithm used for signing the package digest: https://www.debian-administration.org/users/dkg/weblog/48

Is it applicable to this issue?

Paul Loughman (snowhog) wrote :

Oops! forgot to include what I Googled on: "The repository is insufficiently signed"

Jen Wilson (jen-m) wrote :

This should have been a warning for one release before making it a blocking issue. I know Ubuntu hates Google and doesn't want us to install Chrome, but many of us need it. Telling us what we are allowed or not allowed to install is something Microsoft would do. These are our computers. Please allow us to install software that we need.

Nand0 (ferdinandpc) wrote :

The same problem:
 http://download.virtualbox.org/virtualbox/debian/dists/wily/InRelease: Signature by key W: http://download.virtualbox.org/virtualbox/debian/dists/wily/InRelease: Signature by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/atareao/atareao/ubuntu/dists/xenial/InRelease: Signature by key A3D8A366869FE2DC5FFD79C36A9653F936FD5529 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/indicator-multiload/stable-daily/ubuntu/dists/xenial/InRelease: Signature by key 29A2D308818C59EB8AC53826D834D91FA49CCDDB uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/libreoffice/ppa/ubuntu/dists/xenial/InRelease: Signature by key 36E81C9267FD1383FCC4490983FBA1751378B444 uses weak digest algorithm (SHA1)
W: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_15.10/Release.gpg: Signature by key F9EA4996747310AE79474F44977C43A8BA684223 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/videolan/stable-daily/ubuntu/dists/xenial/InRelease: Signature by key 3361E59FF5029E6B90A9A80D09589874801DF724 uses weak digest algorithm (SHA1)

Colin Watson (cjwatson) wrote :

On Sat, Mar 26, 2016 at 09:54:16PM -0000, Jen Wilson wrote:
> This should have been a warning for one release before making it a
> blocking issue. I know Ubuntu hates Google and doesn't want us to
> install Chrome, but many of us need it.

This doesn't block installing Chrome - it's just a warning.

Julian Andres Klode (juliank) wrote :

Since APT 1.2.8, the message has been changed, and the "Hash Entry" error message is now "E" instead of "W", so we can close that now.

1.2.9 in proposed also removes the misleading comma in the hash entry message.

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
no longer affects: apt
Julian Andres Klode (juliank) wrote :

Also removed the affects apt thing, as there is no bug in the Debian BTS, and APT does not use Launchpad to track bugs.

Julian Andres Klode (juliank) wrote :

Just for the record, with the Google Chrome and Talk repos it looks like this now:

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: http://dl.google.com/linux/talkplugin/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
E: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_talkplugin_deb_dists_stable_Release which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

Oded Arbel (oded-geek) wrote :

@juliank:

This is still a problem, at least with some repos:
1. `apt-get update` returns a non-zero exit code and so automated scripts that do `apt-get update && apt-get install ...` will fail to install the required packages.
2. Even if we ignore the error, the index files are not being accepted and packages described in the index cannot be installed.

Here is an example of a trying to install the CUDA driver inside an Ubuntu 16.04 docker container:

Step 4 : RUN dpkg -i cuda-repo-ubuntu1504_7.5-18_amd64.deb && apt-get update ; apt-get install -y --no-install-recommends cuda
 ---> Running in 3034cbd1c6e2
Selecting previously unselected package cuda-repo-ubuntu1504.
(Reading database ... 10067 files and directories currently installed.)
Preparing to unpack cuda-repo-ubuntu1504_7.5-18_amd64.deb ...
Unpacking cuda-repo-ubuntu1504 (7.5-18) ...
Setting up cuda-repo-ubuntu1504 (7.5-18) ...
OK
Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [116 kB]
Hit:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-security InRelease
Ign:4 http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64 InRelease
Get:5 http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64 Release [186 B]
Get:6 http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64 Release.gpg [181 B]
Fetched 116 kB in 1s (82.1 kB/s)
Reading package lists...
W: http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release.gpg: Signature by key 889BEE522DA690103C4B085ED88C3D385C37D3BE uses weak digest algorithm (SHA1)
E: Failed to fetch http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release No Hash entry in Release file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1504_x86%5f64_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package cuda

As you can see the package is not being installed.

Julian Andres Klode (juliank) wrote :

Which means that everything is working intended now.

Don't even complain about Nvidia, that was broken with 1.1 as well, it only has MD5 checksums.

W: http://ppa.launchpad.net/diesch/testing/ubuntu/dists/vivid/InRelease: Signature by key E53B0E36210D2EDBFA94E8AB5AF549300FEB6DD9 uses weak digest algorithm (SHA1)
W: http://repository.spotify.com/dists/stable/InRelease: Signature by key BBEBDCB318AD50EC6865090613B00F1FD2C19886 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/libreoffice/libreoffice-5-1/ubuntu/dists/xenial/InRelease: Signature by key 36E81C9267FD1383FCC4490983FBA1751378B444 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/noobslab/icons2/ubuntu/dists/vivid/InRelease: Signature by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D uses weak digest algorithm (SHA1)
W: http://apt.insynchq.com/ubuntu/dists/xenial/InRelease: Signature by key 3B158123A580D31A9E86248106BBDC2602DFE7E7 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/peterlevi/ppa/ubuntu/dists/xenial/InRelease: Signature by key 876E675CB1AABA3497F27BA6C45A53C1A546BE4F uses weak digest algorithm (SHA1)
W: https://deb.opera.com/opera-beta/dists/stable/InRelease: Signature by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 uses weak digest algorithm (SHA1)
W: http://mega.nz/linux/MEGAsync/xUbuntu_15.04/./Release.gpg: Signature by key BF8B66E01192CBA2E72201294B4E7A9523ACD201 uses weak digest algorithm (SHA1)

Jen Wilson (jen-m) wrote :

> This doesn't block installing Chrome - it's just a warning.

Colin, it does block installing Chrome:

$ sudo apt-get update ; echo $?
...
E: Some index files failed to download. They have been ignored, or old ones used instead.
100

Jose Barakat (josebarakat) wrote :

This update just came up now for Xenial:

Cambios para las versiones de apt:
Versión instalada: 1.2.7
Versión disponible: 1.2.8

Versión 1.2.8:

  [ Michael Vogt ]
  * Get accurate progress reporting in apt update again

  [ Julian Andres Klode ]
  * Report non-transient errors as errors, not as warnings
  * methods/gpgv: Rewrite error handling and message.
    Thanks to Ron Lee for wording suggestions
  * Use descriptive URIs in 104 Warning messages
  * cachefile: Only set members that were initialized successfully
    (Closes: #818628)
  * Update symbols file

  [ David Kalnischkies ]
  * do not strip epochs from state version strings (Closes: 818162)
  * properly check for "all good sigs are weak" (Closes: 818910)
  * handle gpgv's weak-digests ERRSIG

  [ Zhou Mo ]
  * zh_CN.po: update simplified Chinese translation. (Closes: #818639)

  [ Takuma Yamada ]
  * Japanese manpage translation update (Closes: 818950)

So, let's see how it goes.

Julian Andres Klode (juliank) wrote :

@Jen: Just because some indexes failed to download does not mean that Chrome failed to download. Please actually *read* the error messages. Those saying "Failed to fetch" failed, the others did not.

Jen Wilson (jen-m) wrote :

Julian, installing Chrome is blocked. The line starts with an "E:" so it is an error! The message:

"No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release, which is considered strong enough for security purposes"

Is there a workaround? My users need Chrome and other third-party software that only has SSH1 keys.

Julian Andres Klode (juliank) wrote :

That makes no sense, Jen, the repository was fixed last week, see:

https://bugs.chromium.org/p/chromium/issues/detail?id=594414

$ curl -s http://dl.google.com/linux/chrome/deb/dists/stable/Release | egrep 'Date|SHA2'
Date: Thu, 24 Mar 2016 17:24:39 +0000
SHA256:

I know this because I use the freaking repository myself, was affected when I introduced the change, and opened the bug at chromium...

Jen Wilson (jen-m) wrote :

OK, so maybe one repository is fixed now. What about the rest that we need?

Is there a workaround for installing from a repo that doesn't use SHA256 yet?

Julian Andres Klode (juliank) wrote :

@Krzysztof Kowalewski (krzysztofkow92) (Half-)Broken repositories are tracked at

https://wiki.debian.org/Teams/Apt/Sha1Removal

Julian Andres Klode (juliank) wrote :

@Jen There is no workaround. The small number of affected repos should be fixed instead. Even of the reported 20 cases in https://wiki.debian.org/Teams/Apt/Sha1Removal, only 4/5 instances are broken, the other 16 only emit a warning. Out of the Google repositories, the only active ones are Chrome and (somewhat) MusicManager. Talk Plugin and Earth are *dead* (last update years ago). So that leaves you with Google Music Manager, Spider Oak One, and the severely broken Cuda. Cuda is a real clusterfuck, it uses a *very* weak hash algorithm (only MD5).

I fully expect all broken repositories to be fixed within a few months after xenial's release, if not before. All affected parties are informed about that.

And the others that are being warned about *will* break in 2017. There's no way back. There might be some further issues with uncooperative repository providers, but that's a good thing too: If they don't manage to upgrade their repository security until 2017, can you really trust them?

A workaround might come at a later time, as there are some special use cases that need that (archived repositories), but this needs some careful designing. It will not be part of xenial, and we must make very sure that it's as hard to use as possible and still breaks any normal use, as otherwise users will just override the errors and risk being attacked.

So be happy that the few things do not work now, this gives a better incentive for negligent repository owners to fix their broken repositories and prevents users from allowing themselves to be attacked.

Julian Andres Klode (juliank) wrote :

JFTR, I am looking at ways to drop the missing hash entry to a warning before the xenial release. But if I do this, this will be temporarily, and will become an error again starting in January. It will also not apply to the Nvidia repository, as MD5 is too weak to be trusted in any case.

But warnings are always dubious: Most tools do not even show them at all (almost all the graphical ones).

Julian Andres Klode (juliank) wrote :

But note that this is off-topic for this bug report. This bug report was about a message string which has been fixed since.

So, please for all our sanity, stop commenting here.

Eugene Crosser (crosser) wrote :

I've opened Bug #1562733 about failed updates due to "No Hash entry in Release file ... which is considered strong enough for security purposes"

Edd Juglans (ejgn) wrote :
Download full text (3.8 KiB)

<quote> This bug report was about a message string which has been fixed since. </quote>

Still not fixed..!

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_xorg-edgers_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 165D673674A995B3E64BF0CF4F191A5A8844C542 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_atareao_atareao_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key A3D8A366869FE2DC5FFD79C36A9653F936FD5529 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_vincent-c_conky_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key C2079EE53D4B33595B07BDA9FE1FFCE65CB95493 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_no1wantdthisname_ppa_ubuntu_dists_wily_InRelease: The repository is insufficiently signed by key 988070CDAB1DCFA39A63BBC566BA314CE985B27B (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_icons_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_icons2_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_apps_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_noobslab_themes_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 4FA44A478284A18C1BA4A9CAD530E028F59EAE4D (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_shutter-testing-team_ppa_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key F1CB0C583A40C33320C9979E8214A9C71C89E4E1 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_transmissionbt_ppa_ubuntu_dists_wily_InRelease: The repository is insufficiently signed by key A37DA909AE70535824D82620976B5901365C5CA1 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_rednotebook_daily_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key BF97028AB62C5AA319C27BF6CD3EA4E67AFEC43D (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_rvm_smplayer_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key E23A3C5344AE497C2FEE7B0BA7E13D78E4A4F4F4 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_mc3man_mpv-tests_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key 8E51A6D660CD88D67D65221D90BD7EACED8E640A (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_jon-hedgerows_get-iplayer_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key F79D67D8EE8836721D1440E82CDAFB4702E04F78 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_font-manager_staging_ubuntu_dists_xenial_InRelease: The repository is insufficiently signed by key AC6B0292DFB6091A96555511F738B17DF9E284B7 (weak digest)

W: gpgv:/var/lib/apt/lists/ppa.launchpad.net_midori_ppa_ubuntu_dists_wily_Release.gpg: The repository is insufficiently signed by key 67DED6A...

Read more...

Julian Andres Klode (juliank) wrote :

Stop spamming and update your APT (including libapt-pkg5.0 !!!) to 1.2.8 or 1.2.9.

Alex (normadize) wrote :

I did update my apt to 1.2.9 today and I'm still getting this warning ...

W: http://ppa.launchpad.net/nijel/phpmyadmin/ubuntu/dists/xenial/InRelease: Signature by key AD829E29A018BAF8C3842FB080E7349A06ED541C uses weak digest algorithm (SHA1)

Alex (normadize) wrote :

Apologies, I misread your message.

Edd Juglans (ejgn) wrote :

My system is fully updated, but still getting these errors.

Is there anyway that launchpad could please let the people responsible for these repos to 'get their ffing finger out'?

Colin Watson (cjwatson) wrote :

Edd, if you read up through this bug log you'll see a reference to bug 1556666, which has status on getting this sorted out for PPAs. Please, everyone, stop telling us about PPAs that are weakly signed; we know about it, we're working on it, and further comments are not going to make it happen any faster.

Colin Watson (cjwatson) wrote :

As per my most recent comment on bug 1556666, this is now fixed for all xenial Release files in PPAs. Pre-xenial Release files are less important numerically for this, but we know that some people have them enabled on xenial systems, so we'll be re-signing those too over the coming weeks.

William (williamforte) wrote :

I get this same error on Ubuntu 16.04 Desktop Beta 2 amd64 when I run `sudo apt-get update` in reference to one of the official Xenial repos.

Colin Law (colin-law) wrote :

@Williamforte which one? Copy/paste the relevant section here from the terminal.

Injigo (injigo) wrote :

I'm getting this error in a live session of Ubuntu 16.04 Desktop Beta 2 amd64 when I run "sudo apt-get update". This is a fresh boot running directly from an ISO booted from the hard drive. I've added no PPA's.

ubuntu@ubuntu:~$ sudo apt-get update
Ign:1 cdrom://Ubuntu 16.04 LTS _Xenial Xerus_ - Beta amd64 (20160323) xenial InRelease
Hit:2 cdrom://Ubuntu 16.04 LTS _Xenial Xerus_ - Beta amd64 (20160323) xenial Release
Hit:4 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:6 http://security.ubuntu.com/ubuntu xenial-security InRelease
Reading package lists... Done
W: gpgv:/var/lib/apt/lists/Ubuntu%2016.04%20LTS%20%5fXenial%20Xerus%5f%20-%20Beta%20amd64%20(20160323)_dists_xenial_Release.gpg: The repository is insufficiently signed by key C5986B4F1257FFA86632CBA746181433FBB75451 (weak digest)

Colin Watson (cjwatson) wrote :

Injigo, Beta 2 indeed had this problem, but it's already been fixed in more recent daily builds.

pavel bursa (bursap) wrote :

Ubuntu 16.04 LTS xenial beta amd64 (2016 0416) - i have only problem with SHA1 while installing www.webmin.com

W: http://webmin.mirror.somersettechsolutions.co.uk/repository/dists/sarge/Release.gpg: Signature by key 1719003ACE3E5A41E2DE70DFD97A3AE911F63C51 uses weak digest algorithm (SHA1)
W: http://download.webmin.com/download/repository/dists/sarge/Release.gpg: Signature by key 1719003ACE3E5A41E2DE70DFD97A3AE911F63C51 uses weak digest algorithm (SHA1)

franco_bez (franco-bez) wrote :

In my case it's only the Virtualbox Repo

W: http://download.virtualbox.org/virtualbox/debian/dists/xenial/InRelease: Signature by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 uses weak digest algorithm (SHA1)

Wiktor: Nizio (zap-4) wrote :

It is actually correct. Compare with comment #30. The message is supposed to be worded this way.

Albert Cutrona (acutbal) wrote :

Hello!! :)

I've installed Ubuntu 16.04, fresh install and I've this problem with Chrome.

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

Best regards!!

Eduardo Medina (edu-rm-85-z) wrote :

Same problem here with Google Chrome repository. I hope that Google address it soon.

brad (bradmiller200593) on 2016-04-25
Changed in apt (Ubuntu):
assignee: nobody → brad (bradmiller200593)
Nick (nick-power) wrote :

Gajim:

W: ftp://ftp.gajim.org/debian/dists/unstable/InRelease: Signature by key 95306A3F5430B830FE23ACEF838BC5151E5526DE uses weak digest algorithm (SHA1)

arthurcamargo (camargo-arthur) wrote :

in my terminal apt-get update answered:

W: http://archive.getdeb.net/ubuntu/dists/xenial-getdeb/InRelease: Signature by key 1958A549614CE21CFC27F4BAA8A515F046D7E7CF uses weak digest algorithm (SHA1)

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

Changed in apt (Ubuntu):
assignee: brad (bradmiller200593) → nobody
Mahmoud F.Elshazly (elshazly5) wrote :

Ubuntu 16.04 after upgrading

in my terminal apt-get update answered:

W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)
W: http://download.videolan.org/pub/debian/stable/Release.gpg: Signature by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 uses weak digest algorithm (SHA1)
W: http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_14.04/./Release.gpg: Signature by key 1E7BF737CB8709F0F740625B12C6ADA61C85BB5E uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: http://deb.playonlinux.com/dists/trusty/InRelease: Signature by key 74F7358425EEB6176094C884E0F72778C4676186 uses weak digest algorithm (SHA1)
W: http://ppa.launchpad.net/i-nex-development-team/stable/ubuntu/dists/trusty/Release.gpg: Signature by key 844A85F9F6C4BB6FA118D7E1431D3C83F34CDDAD uses weak digest algorithm (SHA1)

Can anyone have a a solution for that?

Colin Law (colin-law) wrote :

@Mahmoud F.Elshazly (elshazly5) this bug is about the wording of a message, not about specific repositories.

However, only one of the repositories is an Ubuntu repo, and that one is for trusty not xenial, so it is not appropriate to be using it at all. For the non-ubuntu repos you will have to take up the problem with them, or ask in a more appropriate place.

varlesh (varlesh-l) wrote :

apt - 1.2.10ubuntu1
ubuntu xenial amd64
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

Wiktor: Nizio (zap-4) wrote :

@varlesh the information you provided is incomplete. Please tell the developers why exactly you think that the information is incorrectly worded, or what the correct wording is. Otherwise the input you provided might be missed. This message seems to be consistent for all repositories that are signed with SHA1. Why exactly do you think something is wrong?

Dirk De Schepper (deschepper) wrote :

I switched to signing my repository with SHA512 encoded 4096 bit key. I still get the same error (No Hash entry in Release file ... which is considered strong enough ...). This is on Xubuntu Xenial 16.04 (amd64), apt version 1.2.10ubuntu1. I checked with apt-key, and the public version of the signing key is present. I'm drawing a blank here.

Julian Andres Klode (juliank) wrote :

@Dirk That's a completely different error type. Your release file only contains an MD5Sum field. Look at the broken repositories section in https://wiki.debian.org/Teams/Apt/Sha1Removal

Dirk De Schepper (deschepper) wrote :

Thanks, I see the problem now.

Shriramana Sharma (jamadagni) wrote :

I have my own local repo and am getting this error for it whenever I try to do apt-get update. I even recently updated the key I use to sign it to RSA/RSA 2048/2048 and also add the two lines in ~/.gnupg/gpg.conf:

cert-digest-algo SHA256
digest-algo SHA256

as recommended at http://askubuntu.com/a/776599/170127. However I still keep getting this error. Please advise as to what I have to do to stop getting this error.

Shriramana Sharma (jamadagni) wrote :

Sorry for the noise due to my previous comment #86. It is unrelated to this bug and it was because I was not generating the appropriate SHA256 lines in the Release file. Sorry again.

S_B (souvikb009cmc) wrote :

 I have also same problem with Google Earth

http://dl.google.com/linux/earth/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)Failed to fetch

http://dl.google.com/linux/earth/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes

Some index files failed to download. They have been ignored, or old ones used instead.

Sorin Sbarnea (ssbarnea) wrote :

It seems that MongoDB is also broken due to this https://jira.mongodb.org/browse/SERVER-23397

Workarounds?

I have a owncloud 9 with Ubuntu 16.04. Today has started this error when I try to do apt-get update.

I have my own local repo and am getting this error for it whenever I try to do apt-get update. I even recently updated the key I use to sign it to RSA/RSA 2048/2048 and also add the two lines in

I add the two lines in
~/.gnupg/gpg.conf:

cert-digest-algo SHA256
digest-algo SHA256

as recommended at http://askubuntu.com/a/776599/170127.

And I have del the key and later add key again.

However I still keep getting this error. Please advise as to what I have to do to stop getting this error.

W: http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.gpg: Signature by key BCECA90325B072AB1245F739AB7C32C35180350A uses weak digest algorithm (SHA1)

Colin Law (colin-law) wrote :

@angel-granados-j This bug is about the wording of the error message, not the fact that the error may appear.
For how to avoid it I suggest you ask elsewhere, the ubuntu-users email list for example.

Tonal (tonal-promsoft) wrote :

Also
W: http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.2/Release.gpg: Signature by key 42F3E95A2C4F08279C4960ADD68FA50FEA312927 uses weak digest algorithm (SHA1)
W: http://liveusb.info/multisystem/depot/dists/all/Release.gpg: Signature by key 32027DE3D67157C45E69C0AE4E940D7FDD7FB8CC uses weak digest algorithm (SHA1)
W: http://www.rabbitmq.com/debian/dists/testing/InRelease: Signature by key 0A9AF2115F4687BD29803A206B73A36E6026DFCA uses weak digest algorithm (SHA1)

yon (thornyon) on 2016-11-15
Changed in apt (Ubuntu):
assignee: nobody → yon (thornyon)
Julian Andres Klode (juliank) wrote :

Don't change the assignment on a (fixed) issue please, yon.

Changed in apt (Ubuntu):
assignee: yon (thornyon) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.