Ubuntu complains....

W: http://debian.aegirproject.org/dists/unstable/InRelease: Signature by key 12782E2257B468806EF36D165ADF93A03376CCF9 uses weak digest algorithm (SHA1)

Debian Jessie does not complain ... but the upcomming stretch release makes it an error.

W: GPG error: https://debian.aegirproject.org unstable InRelease: The following signatures were invalid: 12782E2257B468806EF36D165ADF93A03376CCF9
W: The repository 'https://debian.aegirproject.org unstable InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.


helmo created an issue. See original summary.

helmo’s picture

helmo’s picture

Priority: Major » Critical
helmo’s picture

Title: Upgrade Debian repo key » Upgrade Debian repo signature
Status: Active » Fixed

It's the signature, not the key ....

Adding this to our ~/.gnupg/gpg.conf on the server hosting the repo:

personal-digest-preferences SHA512
cert-digest-algo SHA512
digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

I then updated the Release.gpg files (stable and unstable repos) ... the error is gone and in a test wheezy vm it still works

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.