Ubuntu complains....

W: http://debian.aegirproject.org/dists/unstable/InRelease: Signature by key 12782E2257B468806EF36D165ADF93A03376CCF9 uses weak digest algorithm (SHA1)

Debian Jessie does not complain ... but the upcomming stretch release makes it an error.

W: GPG error: https://debian.aegirproject.org unstable InRelease: The following signatures were invalid: 12782E2257B468806EF36D165ADF93A03376CCF9
W: The repository 'https://debian.aegirproject.org unstable InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Comments

helmo created an issue. See original summary.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Parent issue: » #2857259: [meta] Debian 9 - Stretch support
helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Priority: Major » Critical

There is a plan to release Stretch on 2017-06-17.

helmo’s picture

helmo CreditAttribution: helmo at Initfour websolutions commented
Title: Upgrade Debian repo key » Upgrade Debian repo signature
Status: Active » Fixed

It's the signature, not the key ....

Adding this to our ~/.gnupg/gpg.conf on the server hosting the repo:

personal-digest-preferences SHA512
cert-digest-algo SHA512
digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

I then updated the Release.gpg files (stable and unstable repos) ... the error is gone and in a test wheezy vm it still works

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.