Differences between revisions 70 and 71
Revision 70 as of 2016-05-16 19:18:24
Size: 13013
Editor: ?Ben Abrams
Comment:
Revision 71 as of 2016-05-21 14:17:08
Size: 12437
Editor: ?MartinWimpress
Comment:
Deletions are marked like this. Additions are marked like this.
Line 26: Line 26:
 * '''Spider Oak ONE''' - Contacted via email
  * `W:gpgv:/var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release.gpg: The repository is insufficiently signed by key FE45E5330B11DCF03247EF49A6FF22FF08C15DD0 (weak digest), W:Failed to fetch http://APT.spideroak.com/ubuntu-spideroak-hardy/dists/release/Release No Hash entry in Release file /var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.`
Line 162: Line 160:
  * SpiderOakONE - fixed since May 16

This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut off SHA1 completely on January 1, 2017.

Feel free to add other affected repositories here.

Broken repositories

The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.

The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.

  • Google repositories (contacted ospo at google.com)

    • Google Chrome (half-broken since March 18th 2016)

    • Google Music Manager

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Talk Plugin

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Dart

      • E: Failed to fetch https://storage.googleapis.com/download.dartlang.org/linux/debian/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/storage.googleapis.com_download.dartlang.org_linux_debian_dists_stable_Release, which is considered strong enough for security purposes

    • Google Earth

      • E: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes

  • Nvidia CUDA

    • E: Failed to fetch http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release No Hash entry in Release file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1504_x86%5f64_Release which is considered strong enough for security purposes

  • sbt (sbt issue 2522)

    • W: Failed to fetch https://dl.bintray.com/sbt/debian/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_sbt_debian_Release, which is considered strong enough for security purposes

  • openHAB - Reported to maintainer

    • E: Failed to fetch http://dl.bintray.com/openhab/apt-repo/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_openhab_apt-repo_dists_stable_Release which is considered strong enough for security purposes

Fixing broken repositories

Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.

If the repository is also affected by the other error below, that should also be fixed.

Half-broken repositories

These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).

It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.

  • Bchemnet (SULDR) (contacted http://www.bchemnet.com/suldr/forum/index.php?topic=283.0)

    • W: http://www.bchemnet.com/suldr/dists/debian/InRelease: Signature by key 52C1D92CE6FC35F636B045C3C95104E509BAC46D uses weak digest algorithm (SHA1)

  • Beyond Compare

    • W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)

  • Blue Jeans

    • W: gpgv:/var/lib/apt/lists/swdl.bluejeans.com_repos_bluejeans_x86%5f64_release_debs_dists_stable_Release.gpg: The repository is insufficiently signed by key BBCB188AD7B3228BCF05BD554C0BE21B5FF054BD (weak digest)

  • CFEngine Community

    • W: gpgv:/var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg: The repository is insufficiently signed by key 850614F65F7C006979BCF9EA7061B663A86E7AFA (weak digest)

  • Charles Proxy Repository (contacted via email form)

    • W: https://www.charlesproxy.com/packages/apt/dists/charles-proxy/InRelease: Signature by key 29A78E603B29AC9A889235E6500CCEC520E0B5BF uses weak digest algorithm (SHA1)

  • Cloudera CDH

    • W: http://archive.cloudera.com/cdh5/debian/wheezy/amd64/cdh/dists/wheezy-cdh5/InRelease: Signature by key F36A89E33CC1BD0F71079007327574EE02A818DD uses weak digest algorithm (SHA1)

  • Bt Sync (Unofficial)

    • W: gpgv:/var/lib/apt/lists/debian.yeasoft.net_btsync_dists_unstable_InRelease: The repository is insufficiently signed by key 06ABBEA18548527F04A2FC2840FC0CD26BF18B15 (weak digest)

  • Dropbox (upstream is working on it) (fixed)

    • W: gpgv:/var/lib/apt/lists/linux.dropbox.com_ubuntu_dists_wily_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)

  • Enpass

    • W: gpgv:/var/lib/apt/lists/repo.sinew.in_dists_stable_InRelease: The repository is insufficiently signed by key B6DA722E2E65721AF54B93966F7565879798C2FC (weak digest)

  • Epson

    • W: http://download.ebz.epson.net/dsc/op/stable/debian/dists/lsb3.2/Release.gpg: Signature by key E5220FB7014D0FBDA50DFC2BE5E86C008AA65D56 uses weak digest algorithm (SHA1)

  • ?GeoGebra (emailed)

    • W:W: http://www.geogebra.net/linux/dists/stable/InRelease: Signature by key 98272894F6478AA4434B41D3C072A32983A736CF uses weak digest algorithm (SHA1)

  • Google Chrome (Link to Google Chrome Issue)

    • W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

  • Heroku Toolbelt

    • W: http://toolbelt.heroku.com/ubuntu/./Release.gpg: Signature by key 150C6249147592DE6D91981CC927EBE00F1B0520 uses weak digest algorithm (SHA1)

  • Hipchat 3

    • W: http://downloads.hipchat.com/linux/apt/dists/stable/InRelease: Signature by key 69F57C04EA38EEE7A47E9BCCAAD4AA21729B5780 uses weak digest algorithm (SHA1)

  • Insync (contacted via email and fixed)

  • Jenkins

    • W: http://pkg.jenkins-ci.org/debian/binary/Release.gpg: Signature by key 150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6 uses weak digest algorithm (SHA1)

  • Jitsi (notified via email http://lists.jitsi.org/pipermail/users/2016-March/010990.html )

    • W: http://download.jitsi.org/deb/unstable/Release.gpg: Signature by key 040F57608F84BAF1BF844A62C697D823EB0AB654 uses weak digest algorithm (SHA1)

  • Mendeley (contacted email address found in existing pub key)

    • W: gpgv:/var/lib/apt/lists/partial/desktop-download.mendeley.com_download_apt_dists_stable_Release.gpg: The repository is insufficiently signed by key 26BB02191EF4588D3A7BC30FD800C7D6F036044 (weak digest)

  • MongoDB (issue SERVER-23397)

    • W: gpgv:/var/lib/apt/lists/repo.mongodb.org_apt_debian_dists_wheezy_mongodb-org_3.0_Release.gpg: The repository is insufficiently signed by key 492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10 (weak digest)

  • Nginx (contacted via IRC - planning on fixing this during summer 2016)

    • W: http://nginx.org/packages/debian/dists/jessie/Release.gpg: Signature by key 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uses weak digest algorithm (SHA1)

  • Open Build Service

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_home:_emby_xUbuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key 7C73B6B7B0937468962299C50A506F712A7D8A28 (weak digest)

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Ubuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest)

  • Open Printing

    • W: http://www.openprinting.org/download/printdriver/debian/dists/lsb3.2/Release.gpg: Signature by key F8897B6F00075648E248B7EC24CBF5474CFD1E2F uses weak digest algorithm (SHA1)

  • Percona

    • W: http://repo.percona.com/apt/dists/wheezy/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

  • plexpass/plexmediaserver (Tried to contact via IRC - no answer)

    • W: http://shell.ninthgate.se/packages/debian/dists/plexpass/InRelease: Signature by key 50EE969049C1996AD773A391E639BFCB72740199 uses weak digest algorithm (SHA1)

  • Ring (contacted via email)

    • W: gpgv:/var/lib/apt/lists/nightly.apt.ring.cx_debian%5f8_dists_ring_InRelease: The repository is insufficiently signed by key A295D773307D25A33AE72F2F64CD5FA175348F84 (weak digest)

  • Slack (Contacted via Support form) (fixed since May 11)

    • W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Signature by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F uses weak digest algorithm (SHA1)

  • Steam (Link to github issue)

    • W: gpgv:/var/lib/apt/lists/repo.steampowered.com_steam_dists_precise_InRelease: The repository is insufficiently signed by key BA1816EF8E75005FCF5E27A1F24AEA9FB05498B7 (weak digest)

  • Tel.Red (Sky Lync client)

    • W: http://repos.tel.red/debian/dists/stable/Release.gpg: Signature by key 9454C19A66B920C83DDF696E07C8CCAFCE49F8C5 uses weak digest algorithm (SHA1)

  • TVHeadEnd (old repository, contacted via IRC)

  • Ubuntu PPAs (mostly fixed; some pre-xenial Release files may still use SHA-1)

  • VideoLAN

    • W: gpgv:/var/lib/apt/lists/download.videolan.org_pub_debian_stable_Release.gpg: The repository is insufficiently signed by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 (weak digest)

  • Virtualbox

    • W: gpgv:/var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_wily_InRelease: The repository is insufficiently signed by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 (weak digest)

  • Vivaldi

    • W: gpgv:/var/lib/apt/lists/repo.vivaldi.com_archive_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key ED18652D86E25D422EA7CE132CC26F777B8B44A1 (weak digest)

Fixing half-broken repositories

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).

Compliant repositories

The following 3rd party repositories are compliant.

  • Liquorix - contacted via IRC, now fixed.
  • Nuvola Player
  • Spotify - fixed since Mar 31
  • Syncthing
  • Ubuntu PPAs (all xenial Release files, and some for earlier series)
  • Microsoft dotnet CLI repository
  • Opera
  • sensu - fixed since April 22
  • SpiderOakONE - fixed since May 16
  • Hipchat 4 - fixed on May 16 (support ticket: https://jira.atlassian.com/browse/HCPUB-369)