Bug 361308

Summary: "apt-get update" warning "W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)"
Product: [Applications] trojita Reporter: Thomas Hackert <thackert>
Component: OtherAssignee: Trojita default assignee <trojita-bugs>
Status: RESOLVED UPSTREAM    
Severity: normal    
Priority: NOR    
Version First Reported In: git   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Thomas Hackert 2016-04-02 10:04:10 UTC 
Hello @ll,
not sure, if I have chosen the right component and such. If I did any mistake, feel free to change it accordingly :)

Now to my problem:

When I am trying to update my package list, I get the warning
<quote>
W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)
</quote>
every time ... :( Searching the web for "apt-get" and "weak digest algorithm" leads me to https://juliank.wordpress.com/ and https://wiki.debian.org/Teams/Apt/Sha1Removal. A further research revealed that most of my additional repositories have this problem. Now I want to ask you to regenerate a new key for your Debian (and other distributions as well) package, please. I also found https://www.debian-administration.org/users/dkg/weblog/48, but as a non developer I am not sure, if it is doable at all ... :(
Sorry for the inconvenience and have a nice day
Thomas


Reproducible: Always

Steps to Reproduce:
1. Follow the instructions on https://software.opensuse.org/download.html?project=home:jkt-gentoo:trojita&package=trojita-nightly to add the repository and its key to apt.
2. Start "apt-get update"

Actual Results:  
You will get a warning
<quote>
W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)
</quote>

Expected Results:  
"apt-get update" does not warn about the "weak digest algorithm"

Operating system: Debian Testing AMD64
Trojita: 0.5.git.1458329333.12e4110
Comment 1 Jan Kundrát 2016-04-02 17:09:24 UTC 
Yeah, we are aware of this. Unfortunately, this is not about a key strength or a key algorithm (we've already regenerated the key). It's about a hard-coded constant in the OpenSuSE's Open Build Service's signing component which specifies that the package signatures should use SHA1 as the hashing algorithm.

I've opened a bugreport at https://github.com/openSUSE/obs-sign/issues/5 . Please note that the OBS is a hosted service and we cannot do anything to change it.
Comment 2 Thomas Hackert 2016-04-03 06:55:13 UTC 
Hello Jan,
thanks for your answer :) I have found https://github.com/owncloud/core/issues/23599, where it is discussed also (they mention that obs-sign is a C program but they mention also Perl scripts, which are used by obs-sign ...), but I am not sure if this helps ...
Thanks again and have a nice day
Thomas.