Differences between revisions 103 and 104
Revision 103 as of 2017-03-14 22:19:44
Size: 12912
Editor: ?CraigLamparter
Comment: HPE repositories resigned with new key and SHA256 hash alg.
Revision 104 as of 2017-04-21 15:28:53
Size: 12719
Comment: perforce is fixed
Deletions are marked like this. Additions are marked like this.
Line 105: Line 105:
 * '''Perforce'''
  * `W: GPG error: http://package.perforce.com/apt/ubuntu xenial InRelease: The following signatures were invalid: E58131C0AEA7B082C6DC4C937123CB760FF18869`
  * Contacted 2017-02-07 and acknowledged by them
Line 178: Line 174:
  * Perforce - fixed since Feb 2017

This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut off SHA1 completely on January 1, 2017.

Feel free to add other affected repositories here.

Broken repositories

The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.

The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.

  • Nvidia CUDA

    • E: Failed to fetch http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release No Hash entry in Release file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1504_x86%5f64_Release which is considered strong enough for security purposes

  • sbt (sbt issue 2522)

    • W: Failed to fetch https://dl.bintray.com/sbt/debian/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_sbt_debian_Release, which is considered strong enough for security purposes

  • openHAB - Reported to maintainer

    • E: Failed to fetch http://dl.bintray.com/openhab/apt-repo/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_openhab_apt-repo_dists_stable_Release which is considered strong enough for security purposes

Fixing broken repositories

Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.

If the repository is also affected by the other error below, that should also be fixed.

Half-broken repositories

These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8) or return errors (1.4~beta1)

It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.

  • Bchemnet (SULDR) (contacted http://www.bchemnet.com/suldr/forum/index.php?topic=283.0)

    • W: http://www.bchemnet.com/suldr/dists/debian/InRelease: Signature by key 52C1D92CE6FC35F636B045C3C95104E509BAC46D uses weak digest algorithm (SHA1)

  • Intel Graphics drivers

    • W: https://download.01.org/gfx/ubuntu/16.04/main/dists/xenial/InRelease: Signature by key 09D6EF97BFB38E916EF060E756A3DEF863961D39 uses weak digest algorithm (SHA1)

  • Beyond Compare

    • W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)

  • Blue Jeans

    • W: gpgv:/var/lib/apt/lists/swdl.bluejeans.com_repos_bluejeans_x86%5f64_release_debs_dists_stable_Release.gpg: The repository is insufficiently signed by key BBCB188AD7B3228BCF05BD554C0BE21B5FF054BD (weak digest)

  • CFEngine Community

    • W: gpgv:/var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg: The repository is insufficiently signed by key 850614F65F7C006979BCF9EA7061B663A86E7AFA (weak digest)

  • Cloudera CDH

    • W: http://archive.cloudera.com/cdh5/debian/wheezy/amd64/cdh/dists/wheezy-cdh5/InRelease: Signature by key F36A89E33CC1BD0F71079007327574EE02A818DD uses weak digest algorithm (SHA1)

  • ?BtSync (Unofficial) - Maintainer contacted via Google+ on 21st May

    • W: gpgv:/var/lib/apt/lists/debian.yeasoft.net_btsync_dists_unstable_InRelease: The repository is insufficiently signed by key 06ABBEA18548527F04A2FC2840FC0CD26BF18B15 (weak digest)

  • Elasticsearch (contacted at https://discuss.elastic.co/t/fixing-debian-repository/51097)

    • W: http://packages.elastic.co/elasticsearch/2.x/debian/dists/stable/Release.gpg: Signature by key 46095ACC8548582C1A2699A9D27D666CD88E42B4 uses weak digest algorithm (SHA1)

  • emacs-snapshot (contacted dima via mail) Corrected 1st of August.

    • W: http://emacs.secretsauce.net/dists/unstable/InRelease: Signature by key 0105C059050D09EF190826DB248E163FEFB35644 uses weak digest algorithm (SHA1)

  • Epson

    • W: http://download.ebz.epson.net/dsc/op/stable/debian/dists/lsb3.2/Release.gpg: Signature by key E5220FB7014D0FBDA50DFC2BE5E86C008AA65D56 uses weak digest algorithm (SHA1)

  • ?GeoGebra (emailed)

    • W:W: http://www.geogebra.net/linux/dists/stable/InRelease: Signature by key 98272894F6478AA4434B41D3C072A32983A736CF uses weak digest algorithm (SHA1)

  • Heroku Toolbelt

    • W: http://toolbelt.heroku.com/ubuntu/./Release.gpg: Signature by key 150C6249147592DE6D91981CC927EBE00F1B0520 uses weak digest algorithm (SHA1)

  • InfluxDB

    • W: https://repos.influxdata.com/debian/dists/jessie/InRelease: Signature by key 05CE15085FC09D18E99EFB22684A14CF2582E0C5 uses weak digest algorithm (SHA1)

  • Jenkins (Link to the Jenkins Issue) (fixed)

    • W: http://pkg.jenkins-ci.org/debian/binary/Release.gpg: Signature by key 150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6 uses weak digest algorithm (SHA1)

  • Jitsi (notified via email http://lists.jitsi.org/pipermail/users/2016-March/010990.html )

    • W: http://download.jitsi.org/deb/unstable/Release.gpg: Signature by key 040F57608F84BAF1BF844A62C697D823EB0AB654 uses weak digest algorithm (SHA1)

  • KX Studio (http://kxstudio.linuxaudio.org/ contacted via Launchpad) (fixed)

    • W: http://kxstudio.linuxaudio.org/repo/dists/stable/Release.gpg: Signature by key 037E0CAFCAA96B99901CB0D52D3445A829213837 uses weak digest algorithm (SHA1)

    • W: http://ppa.launchpad.net/kxstudio-debian/plugins/ubuntu/dists/lucid/InRelease: Signature by key DF1BC724E4ED8A947FF0B0A1F8599E482BD84BD9 uses weak digest algorithm (SHA1)

  • Mendeley (contacted email address found in existing pub key)

    • W: gpgv:/var/lib/apt/lists/partial/desktop-download.mendeley.com_download_apt_dists_stable_Release.gpg: The repository is insufficiently signed by key 26BB02191EF4588D3A7BC30FD800C7D6F036044 (weak digest)

  • MonetDB

    • W: http://dev.monetdb.org/downloads/deb/dists/yakkety/Release.gpg: Signature by key 213E64DCD5DDC2C063CC39FD053C3ED40583366F uses weak digest algorithm (SHA1)

  • MongoDB (issue SERVER-23397)

    • W: gpgv:/var/lib/apt/lists/repo.mongodb.org_apt_debian_dists_wheezy_mongodb-org_3.0_Release.gpg: The repository is insufficiently signed by key 492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10 (weak digest)

  • Nginx (contacted via IRC - planning on fixing this during summer 2016)

    • W: http://nginx.org/packages/debian/dists/jessie/Release.gpg: Signature by key 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uses weak digest algorithm (SHA1)

  • Open Build Service

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_home:_emby_xUbuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key 7C73B6B7B0937468962299C50A506F712A7D8A28 (weak digest)

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Ubuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest)

  • Open Printing

    • W: http://www.openprinting.org/download/printdriver/debian/dists/lsb3.2/Release.gpg: Signature by key F8897B6F00075648E248B7EC24CBF5474CFD1E2F uses weak digest algorithm (SHA1)

  • ?OpenLiteSpeed Server

    • W: http://rpms.litespeedtech.com/debian/dists/xenial/Release.gpg: Signature by key 42259994257E19EB6A91CA853F6F627083084D0E uses weak digest algorithm (SHA1)

    • W: Invalid 'Date' entry in Release file /var/lib/apt/lists/rpms.litespeedtech.com_debian_dists_xenial_Release

  • Percona

    • W: http://repo.percona.com/apt/dists/wheezy/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

  • plexpass/plexmediaserver (Tried to contact via IRC - no answer)

    • W: http://shell.ninthgate.se/packages/debian/dists/plexpass/InRelease: Signature by key 50EE969049C1996AD773A391E639BFCB72740199 uses weak digest algorithm (SHA1)

  • Ring (contacted via email)

    • W: gpgv:/var/lib/apt/lists/nightly.apt.ring.cx_debian%5f8_dists_ring_InRelease: The repository is insufficiently signed by key A295D773307D25A33AE72F2F64CD5FA175348F84 (weak digest)

  • ?SemanticMerge (contacted via email)

    • W: https://www.semanticmerge.com/semanticrepo/Debian_8.1/./Release.gpg: Signature by key 20E35F13F64AF2A9DB470AF7EFFF4A472840BE0E uses weak digest algorithm (SHA1)

  • Slack (Contacted via Support form) (fixed since May 11)

    • W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Signature by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F uses weak digest algorithm (SHA1)

  • Tel.Red (Sky Lync client)

    • W: http://repos.tel.red/debian/dists/stable/Release.gpg: Signature by key 9454C19A66B920C83DDF696E07C8CCAFCE49F8C5 uses weak digest algorithm (SHA1)

  • TVHeadEnd (old repository, contacted via IRC)

  • VideoLAN

    • W: gpgv:/var/lib/apt/lists/download.videolan.org_pub_debian_stable_Release.gpg: The repository is insufficiently signed by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 (weak digest)

  • MySQL (no xenial repo available yet either)

    • W: http://repo.mysql.com/apt//ubuntu/dists/wily/InRelease: Signature by key A4A9406876FCBD3C456770C88C718D3B5072E1F5 uses weak digest algorithm (SHA1)

  • SWI-Prolog (cantacted via Google Group)

    • W: http://ppa.launchpad.net/swi-prolog/stable/ubuntu/dists/vivid/Release.gpg: Signature by key 73E75048FF27533C0D8DC521EF8406856DBFCA18 uses weak digest algorithm (SHA1)

Fixing half-broken repositories

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users.

  • To sign with more than one key, if using reprepro, use a space-separated list of key IDs in the conf/distributions file on the SignWith line.

  • A relatively safe way to ship the key would be to embed it in the package. To embed the key in the package, export it into its own keyring, like so
    • gpg --export -a YOURNEWKEYID | gpg --no-default-keyring --keyring newkeyring.gpg --import -

    The keyring file will be created in your ~/.gnupg directory. Place it into /etc/apt/trusted.gpg.d/ directory in your package, and it will automatically be picked up by apt-key once installed by your users.

Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).

Compliant repositories

The following 3rd party repositories are compliant.