361308 – "apt-get update" warning "W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)"

Bug 361308 - "apt-get update" warning "W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)"

Summary: "apt-get update" warning "W: http://download.opensuse.org/repositories/home:/...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	trojita
Classification:	Applications
Component:	Other (other bugs)
Version First Reported In:	git
Platform:	Debian testing Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Trojita default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-02 10:04 UTC by Thomas Hackert
Modified:	2016-04-03 06:55 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Hackert 2016-04-02 10:04:10 UTC

Hello @ll,
not sure, if I have chosen the right component and such. If I did any mistake, feel free to change it accordingly :)

Now to my problem:

When I am trying to update my package list, I get the warning
<quote>
W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)
</quote>
every time ... :( Searching the web for "apt-get" and "weak digest algorithm" leads me to https://juliank.wordpress.com/ and https://wiki.debian.org/Teams/Apt/Sha1Removal. A further research revealed that most of my additional repositories have this problem. Now I want to ask you to regenerate a new key for your Debian (and other distributions as well) package, please. I also found https://www.debian-administration.org/users/dkg/weblog/48, but as a non developer I am not sure, if it is doable at all ... :(
Sorry for the inconvenience and have a nice day
Thomas

Reproducible: Always

Steps to Reproduce:
1. Follow the instructions on https://software.opensuse.org/download.html?project=home:jkt-gentoo:trojita&package=trojita-nightly to add the repository and its key to apt.
2. Start "apt-get update"

Actual Results:
You will get a warning
<quote>
W: http://download.opensuse.org/repositories/home:/jkt-gentoo:/trojita/Debian_8.0/Release.gpg: Signature by key 62797E5BC0F3A65DCFB2F94D121EE1B7A6A36662 uses weak digest algorithm (SHA1)
</quote>

Expected Results:
"apt-get update" does not warn about the "weak digest algorithm"

Operating system: Debian Testing AMD64
Trojita: 0.5.git.1458329333.12e4110

Comment 1 Jan Kundrát 2016-04-02 17:09:24 UTC

Yeah, we are aware of this. Unfortunately, this is not about a key strength or a key algorithm (we've already regenerated the key). It's about a hard-coded constant in the OpenSuSE's Open Build Service's signing component which specifies that the package signatures should use SHA1 as the hashing algorithm.

I've opened a bugreport at https://github.com/openSUSE/obs-sign/issues/5 . Please note that the OBS is a hosted service and we cannot do anything to change it.

Comment 2 Thomas Hackert 2016-04-03 06:55:13 UTC

Hello Jan,
thanks for your answer :) I have found https://github.com/owncloud/core/issues/23599, where it is discussed also (they mention that obs-sign is a C program but they mention also Perl scripts, which are used by obs-sign ...), but I am not sure if this helps ...
Thanks again and have a nice day
Thomas.