apt / insufficiently signed / weak digest
When adding our own apt repository to a new Ubuntu/Xenial machine, I got a “insufficiently signed (weak digest)” error.
# apt-get update
...
W: gpgv:/var/lib/apt/lists/partial/ppa.osso.nl_ubuntu_dists_xenial_InRelease:
The repository is insufficiently signed by key 4D1...0F5 (weak digest)
Confirmed it with gpgv.
# gpgv --keyring /etc/apt/trusted.gpg \
/var/lib/apt/lists/ppa.osso.nl_ubuntu_dists_xenial_InRelease
gpgv: Signature made Wed 23 Mar 2016 10:14:48 AM UTC using RSA key ID B36530F5
gpgv: Good signature from "PPA-OSSO-NL <support+ppa@osso.nl>"
# gpgv --weak-digest sha1 --verbose --keyring /etc/apt/trusted.gpg \
/var/lib/apt/lists/ppa.osso.nl_ubuntu_dists_xenial_InRelease
gpgv: armor header: Hash: SHA1
gpgv: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpgv: original file name=''
gpgv: Signature made Wed 23 Mar 2016 10:14:48 AM UTC using RSA key ID B36530F5
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: unknown digest algorithm
Indeed, SHA1.
We’ll need to enforce a newer digest on the reprepro repository
server:
reprepro# cat >> ~/.gnupg/gpg.conf << EOF
# Prefer better digests for signing.
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
EOF
Regenerate the release files with updated signatures:
reprepro# reprepro export
...
Go back to the user host, and check for success:
# apt-get update
...
(no errors)
# gpgv --verbose --keyring /etc/apt/trusted.gpg \
/var/lib/apt/lists/ppa.osso.nl_ubuntu_dists_xenial_InRelease
gpgv: armor header: Hash: SHA512
gpgv: armor header: Version: GnuPG v1.4.11 (GNU/Linux)
gpgv: original file name=''
gpgv: Signature made Wed 23 Mar 2016 10:30:04 AM UTC using RSA key ID B36530F5
gpgv: Good signature from "PPA-OSSO-NL <support+ppa@osso.nl>"
gpgv: textmode signature, digest algorithm SHA512
Excellent. SHA512 this time, and no complaints from apt.
Update 2016-06-12
Fixed typo after feedback from Simon Leinen at SWITCH. He also remarked the following:
Some people have a gnupghome +b/gpg (basedir + “/gpg”) setting in
their ~reprepro/conf/options. If that’s the case, the
personal-digest-preferences line should go into
~reprepro/conf/gpg.conf instead of ~/.gnupg/gpg.conf.