Differences between revisions 7 and 8
Revision 7 as of 2016-03-19 00:33:41
Size: 1856
Editor: ColinWatson
Comment: link to PPA bug
Revision 8 as of 2016-03-19 02:17:06
Size: 1918
Editor: ?Unit193
Comment: Add Virtualbox, VideoLAN, and Liquorix.
Deletions are marked like this. Additions are marked like this.
Line 27: Line 27:
 * Google Chrome (since Mar 18, broken before)
Line 28: Line 29:
 * Google Chrome (since Mar 18, broken before)  * Liquorix (contacted over IRC)
Line 30: Line 31:
 * Steam
Line 31: Line 33:
 * Steam
Line 33: Line 34:
 * VideoLAN
 * Virtualbox

This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut of SHA1 completely on January 1, 2017.

Feel free to add other affected repos here.

Broken repositories

These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).

The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.

  • Google repositories
    • Chrome (until Mar 18)
    • Music Manager
    • Talk Plugin

Fixing it

Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.

If the repository is also affected by the other error below, that should also be fixed.

Half-broken repositories

The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.

It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.

  • Google Chrome (since Mar 18, broken before)
  • Insync.
  • Liquorix (contacted over IRC)
  • Opera (contacted over twitter)
  • Steam
  • Spotify (contacted via key UID)
  • Ubuntu PPAs (fix pending)

  • VideoLAN
  • Virtualbox
  • Vivaldi

Fixing

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).