Differences between revisions 42 and 43
Revision 42 as of 2016-04-03 09:10:54
Size: 10898
Editor: ?JulianGilbey
Comment: Added Google Earth
Revision 43 as of 2016-04-06 21:15:07
Size: 10752
Editor: ?RomanDuriska
Comment:
Deletions are marked like this. Additions are marked like this.
Line 74: Line 74:
 * '''Insync'''
  * `W: gpgv:/var/lib/apt/lists/apt.insynchq.com_ubuntu_dists_trusty_InRelease: The repository is insufficiently signed by key 3B158123A580D31A9E86248106BBDC2602DFE7E7 (weak digest)`
 * --('''Insync''')-- (contacted via email and fixed)

This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut off SHA1 completely on January 1, 2017.

Feel free to add other affected repositories here.

Broken repositories

The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.

The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.

  • Google repositories (contacted ospo at google.com)

    • Google Chrome (half-broken since March 18th 2016)

    • Google Music Manager

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Talk Plugin

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Dart

      • E: Failed to fetch https://storage.googleapis.com/download.dartlang.org/linux/debian/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/storage.googleapis.com_download.dartlang.org_linux_debian_dists_stable_Release, which is considered strong enough for security purposes

    • Google Earth

      • E: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes

  • Nvidia CUDA

    • E: Failed to fetch http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release No Hash entry in Release file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1504_x86%5f64_Release which is considered strong enough for security purposes

  • sbt (sbt issue 2522)

    • W: Failed to fetch https://dl.bintray.com/sbt/debian/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_sbt_debian_Release, which is considered strong enough for security purposes

  • Spider Oak ONE - Contacted via email

    • W:gpgv:/var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release.gpg: The repository is insufficiently signed by key FE45E5330B11DCF03247EF49A6FF22FF08C15DD0 (weak digest), W:Failed to fetch http://APT.spideroak.com/ubuntu-spideroak-hardy/dists/release/Release  No Hash entry in Release file /var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

  • openHAB - Reported to maintainer

    • E: Failed to fetch http://dl.bintray.com/openhab/apt-repo/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_openhab_apt-repo_dists_stable_Release which is considered strong enough for security purposes

Fixing broken repositories

Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.

If the repository is also affected by the other error below, that should also be fixed.

Half-broken repositories

These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).

It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.

  • Bchemnet (SULDR) (contacted http://www.bchemnet.com/suldr/forum/index.php?topic=283.0)

    • W: http://www.bchemnet.com/suldr/dists/debian/InRelease: Signature by key 52C1D92CE6FC35F636B045C3C95104E509BAC46D uses weak digest algorithm (SHA1)

  • Blue Jeans

    • W: gpgv:/var/lib/apt/lists/swdl.bluejeans.com_repos_bluejeans_x86%5f64_release_debs_dists_stable_Release.gpg: The repository is insufficiently signed by key BBCB188AD7B3228BCF05BD554C0BE21B5FF054BD (weak digest)

  • CFEngine Community

    • W: gpgv:/var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg: The repository is insufficiently signed by key 850614F65F7C006979BCF9EA7061B663A86E7AFA (weak digest)

  • Cloudera CDH

    • W: http://archive.cloudera.com/cdh5/debian/wheezy/amd64/cdh/dists/wheezy-cdh5/InRelease: Signature by key F36A89E33CC1BD0F71079007327574EE02A818DD uses weak digest algorithm (SHA1)

  • Bt Sync (Unofficial)

    • W: gpgv:/var/lib/apt/lists/debian.yeasoft.net_btsync_dists_unstable_InRelease: The repository is insufficiently signed by key 06ABBEA18548527F04A2FC2840FC0CD26BF18B15 (weak digest)

  • Dropbox

    • W: gpgv:/var/lib/apt/lists/linux.dropbox.com_ubuntu_dists_wily_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)

  • Enpass

    • W: gpgv:/var/lib/apt/lists/repo.sinew.in_dists_stable_InRelease: The repository is insufficiently signed by key B6DA722E2E65721AF54B93966F7565879798C2FC (weak digest)

  • ?GeoGebra (emailed)

    • W:W: http://www.geogebra.net/linux/dists/stable/InRelease: Signature by key 98272894F6478AA4434B41D3C072A32983A736CF uses weak digest algorithm (SHA1)

  • Google Chrome

    • W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

  • Hipchat

    • W: http://downloads.hipchat.com/linux/apt/dists/stable/InRelease: Signature by key 69F57C04EA38EEE7A47E9BCCAAD4AA21729B5780 uses weak digest algorithm (SHA1)

  • Insync (contacted via email and fixed)

  • Jitsi (notified via email http://lists.jitsi.org/pipermail/users/2016-March/010990.html )

    • W: http://download.jitsi.org/deb/unstable/Release.gpg: Signature by key 040F57608F84BAF1BF844A62C697D823EB0AB654 uses weak digest algorithm (SHA1)

  • Microsoft dotnet cli repository

    • W: http://apt-mo.trafficmanager.net/repos/dotnet/dists/trusty/InRelease: Signature by key 52E16F86FEE04B979B07E28DB02C46DF417A0893 uses weak digest algorithm (SHA1)

  • Mendeley (contacted email address found in existing pub key)

    • W: gpgv:/var/lib/apt/lists/partial/desktop-download.mendeley.com_download_apt_dists_stable_Release.gpg: The repository is insufficiently signed by key 26BB02191EF4588D3A7BC30FD800C7D6F036044 (weak digest)

  • MongoDB (issue SERVER-23397)

    • W: gpgv:/var/lib/apt/lists/repo.mongodb.org_apt_debian_dists_wheezy_mongodb-org_3.0_Release.gpg: The repository is insufficiently signed by key 492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10 (weak digest)

  • Open Build Service

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_home:_emby_xUbuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key 7C73B6B7B0937468962299C50A506F712A7D8A28 (weak digest)

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Ubuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest)

  • Opera (contacted over twitter)

    • W: gpgv:/var/lib/apt/lists/deb.opera.com_opera-stable_dists_stable_InRelease: The repository is insufficiently signed by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 (weak digest)

  • Ring (contacted via email)

    • W: gpgv:/var/lib/apt/lists/nightly.apt.ring.cx_debian%5f8_dists_ring_InRelease: The repository is insufficiently signed by key A295D773307D25A33AE72F2F64CD5FA175348F84 (weak digest)

  • Slack (Contacted via Support form)

    • W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Signature by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F uses weak digest algorithm (SHA1)

  • Steam (Link to github issue)

    • W: gpgv:/var/lib/apt/lists/repo.steampowered.com_steam_dists_precise_InRelease: The repository is insufficiently signed by key BA1816EF8E75005FCF5E27A1F24AEA9FB05498B7 (weak digest)

  • Ubuntu PPAs (mostly fixed; some pre-xenial Release files may still use SHA-1)

  • VideoLAN

    • W: gpgv:/var/lib/apt/lists/download.videolan.org_pub_debian_stable_Release.gpg: The repository is insufficiently signed by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 (weak digest)

  • Virtualbox

    • W: gpgv:/var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_wily_InRelease: The repository is insufficiently signed by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 (weak digest)

  • Vivaldi

    • W: gpgv:/var/lib/apt/lists/repo.vivaldi.com_archive_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key ED18652D86E25D422EA7CE132CC26F777B8B44A1 (weak digest)

Fixing half-broken repositories

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).

Compliant repositories

The following 3rd party repositories are compliant.

  • Liquorix - contacted via IRC, now fixed.
  • Nuvola Player
  • Spotify - fixed since Mar 31
  • Syncthing
  • Ubuntu PPAs (all xenial Release files, and some for earlier series)