1856
Comment: link to PPA bug
|
1918
Add Virtualbox, VideoLAN, and Liquorix.
|
Deletions are marked like this. | Additions are marked like this. |
Line 27: | Line 27: |
* Google Chrome (since Mar 18, broken before) | |
Line 28: | Line 29: |
* Google Chrome (since Mar 18, broken before) | * Liquorix (contacted over IRC) |
Line 30: | Line 31: |
* Steam | |
Line 31: | Line 33: |
* Steam | |
Line 33: | Line 34: |
* VideoLAN * Virtualbox |
This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut of SHA1 completely on January 1, 2017.
Feel free to add other affected repos here.
Broken repositories
These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).
The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.
- Google repositories
- Chrome (until Mar 18)
- Music Manager
- Talk Plugin
Fixing it
Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.
If the repository is also affected by the other error below, that should also be fixed.
Half-broken repositories
The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.
It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.
- Google Chrome (since Mar 18, broken before)
- Insync.
- Liquorix (contacted over IRC)
- Opera (contacted over twitter)
- Steam
- Spotify (contacted via key UID)
Ubuntu PPAs (fix pending)
- VideoLAN
- Virtualbox
- Vivaldi
Fixing
The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.
Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).