Differences between revisions 89 and 90
Revision 89 as of 2016-08-01 07:19:14
Size: 13473
Editor: ?MartinBrotherBagge
Comment: emacs-snapshot corrected
Revision 90 as of 2016-10-12 13:35:05
Size: 13552
Editor: ?MichaelWeghorn
Comment: Add reference to Jenkins issue tracker
Deletions are marked like this. Additions are marked like this.
Line 86: Line 86:
 * '''Jenkins'''  * '''Jenkins''' ([[https://issues.jenkins-ci.org/browse/INFRA-717|Link to the Jenkins Issue]])

This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut off SHA1 completely on January 1, 2017.

Feel free to add other affected repositories here.

Broken repositories

The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.

The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.

  • Google repositories (contacted ospo at google.com)

    • Google Chrome (half-broken since March 18th 2016)

    • Google Music Manager

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Talk Plugin (fixed but requires a few steps to resolve see: https://productforums.google.com/d/msg/chrome/oqnwWyiAvWg/9hgjmdF_BgAJ)

      • W:gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.

    • Google Dart

      • E: Failed to fetch https://storage.googleapis.com/download.dartlang.org/linux/debian/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/storage.googleapis.com_download.dartlang.org_linux_debian_dists_stable_Release, which is considered strong enough for security purposes

    • Google Earth

      • E: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes

  • Nvidia CUDA

    • E: Failed to fetch http://developer.download.nvidia.com/compute/cuda/repos/ubuntu1504/x86_64/Release No Hash entry in Release file /var/lib/apt/lists/partial/developer.download.nvidia.com_compute_cuda_repos_ubuntu1504_x86%5f64_Release which is considered strong enough for security purposes

  • sbt (sbt issue 2522)

    • W: Failed to fetch https://dl.bintray.com/sbt/debian/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_sbt_debian_Release, which is considered strong enough for security purposes

  • openHAB - Reported to maintainer

    • E: Failed to fetch http://dl.bintray.com/openhab/apt-repo/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.bintray.com_openhab_apt-repo_dists_stable_Release which is considered strong enough for security purposes

Fixing broken repositories

Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.

If the repository is also affected by the other error below, that should also be fixed.

Half-broken repositories

These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).

It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.

  • Bchemnet (SULDR) (contacted http://www.bchemnet.com/suldr/forum/index.php?topic=283.0)

    • W: http://www.bchemnet.com/suldr/dists/debian/InRelease: Signature by key 52C1D92CE6FC35F636B045C3C95104E509BAC46D uses weak digest algorithm (SHA1)

  • Beyond Compare

    • W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)

  • Blue Jeans

    • W: gpgv:/var/lib/apt/lists/swdl.bluejeans.com_repos_bluejeans_x86%5f64_release_debs_dists_stable_Release.gpg: The repository is insufficiently signed by key BBCB188AD7B3228BCF05BD554C0BE21B5FF054BD (weak digest)

  • CFEngine Community

    • W: gpgv:/var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg: The repository is insufficiently signed by key 850614F65F7C006979BCF9EA7061B663A86E7AFA (weak digest)

  • Cloudera CDH

    • W: http://archive.cloudera.com/cdh5/debian/wheezy/amd64/cdh/dists/wheezy-cdh5/InRelease: Signature by key F36A89E33CC1BD0F71079007327574EE02A818DD uses weak digest algorithm (SHA1)

  • ?BtSync (Unofficial) - Maintainer contacted via Google+ on 21st May

    • W: gpgv:/var/lib/apt/lists/debian.yeasoft.net_btsync_dists_unstable_InRelease: The repository is insufficiently signed by key 06ABBEA18548527F04A2FC2840FC0CD26BF18B15 (weak digest)

  • Elasticsearch (contacted at https://discuss.elastic.co/t/fixing-debian-repository/51097)

    • W: http://packages.elastic.co/elasticsearch/2.x/debian/dists/stable/Release.gpg: Signature by key 46095ACC8548582C1A2699A9D27D666CD88E42B4 uses weak digest algorithm (SHA1)

  • emacs-snapshot (contacted dima via mail) Corrected 1st of August.

    • W: http://emacs.secretsauce.net/dists/unstable/InRelease: Signature by key 0105C059050D09EF190826DB248E163FEFB35644 uses weak digest algorithm (SHA1)

  • Epson

    • W: http://download.ebz.epson.net/dsc/op/stable/debian/dists/lsb3.2/Release.gpg: Signature by key E5220FB7014D0FBDA50DFC2BE5E86C008AA65D56 uses weak digest algorithm (SHA1)

  • ?GeoGebra (emailed)

    • W:W: http://www.geogebra.net/linux/dists/stable/InRelease: Signature by key 98272894F6478AA4434B41D3C072A32983A736CF uses weak digest algorithm (SHA1)

  • Google Chrome (Link to Google Chrome Issue)

    • W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

  • Heroku Toolbelt

    • W: http://toolbelt.heroku.com/ubuntu/./Release.gpg: Signature by key 150C6249147592DE6D91981CC927EBE00F1B0520 uses weak digest algorithm (SHA1)

  • Hipchat 3

    • W: http://downloads.hipchat.com/linux/apt/dists/stable/InRelease: Signature by key 69F57C04EA38EEE7A47E9BCCAAD4AA21729B5780 uses weak digest algorithm (SHA1)

  • HPE

    • W: http://downloads.linux.hpe.com/SDR/repo/mcp/debian/dists/jessie/current/Release.gpg: Signature by key 882F7199B20F94BD7E3E690EFADD8D64B1275EA3 uses weak digest algorithm (SHA1)

  • InfluxDB

    • W: https://repos.influxdata.com/debian/dists/jessie/InRelease: Signature by key 05CE15085FC09D18E99EFB22684A14CF2582E0C5 uses weak digest algorithm (SHA1)

  • Jenkins (Link to the Jenkins Issue)

    • W: http://pkg.jenkins-ci.org/debian/binary/Release.gpg: Signature by key 150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6 uses weak digest algorithm (SHA1)

  • Jitsi (notified via email http://lists.jitsi.org/pipermail/users/2016-March/010990.html )

    • W: http://download.jitsi.org/deb/unstable/Release.gpg: Signature by key 040F57608F84BAF1BF844A62C697D823EB0AB654 uses weak digest algorithm (SHA1)

  • KX Studio (http://kxstudio.linuxaudio.org/ contacted via Launchpad)

    • W: http://kxstudio.linuxaudio.org/repo/dists/stable/Release.gpg: Signature by key 037E0CAFCAA96B99901CB0D52D3445A829213837 uses weak digest algorithm (SHA1)

    • W: http://ppa.launchpad.net/kxstudio-debian/plugins/ubuntu/dists/lucid/InRelease: Signature by key DF1BC724E4ED8A947FF0B0A1F8599E482BD84BD9 uses weak digest algorithm (SHA1)

  • Mendeley (contacted email address found in existing pub key)

    • W: gpgv:/var/lib/apt/lists/partial/desktop-download.mendeley.com_download_apt_dists_stable_Release.gpg: The repository is insufficiently signed by key 26BB02191EF4588D3A7BC30FD800C7D6F036044 (weak digest)

  • MongoDB (issue SERVER-23397)

    • W: gpgv:/var/lib/apt/lists/repo.mongodb.org_apt_debian_dists_wheezy_mongodb-org_3.0_Release.gpg: The repository is insufficiently signed by key 492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10 (weak digest)

  • Nginx (contacted via IRC - planning on fixing this during summer 2016)

    • W: http://nginx.org/packages/debian/dists/jessie/Release.gpg: Signature by key 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uses weak digest algorithm (SHA1)

  • Open Build Service

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_home:_emby_xUbuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key 7C73B6B7B0937468962299C50A506F712A7D8A28 (weak digest)

    • W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Ubuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest)

  • Open Printing

    • W: http://www.openprinting.org/download/printdriver/debian/dists/lsb3.2/Release.gpg: Signature by key F8897B6F00075648E248B7EC24CBF5474CFD1E2F uses weak digest algorithm (SHA1)

  • ?OpenLiteSpeed Server

    • W: http://rpms.litespeedtech.com/debian/dists/xenial/Release.gpg: Signature by key 42259994257E19EB6A91CA853F6F627083084D0E uses weak digest algorithm (SHA1)

    • W: Invalid 'Date' entry in Release file /var/lib/apt/lists/rpms.litespeedtech.com_debian_dists_xenial_Release

  • Percona

    • W: http://repo.percona.com/apt/dists/wheezy/InRelease: Signature by key 430BDF5C56E7C94E848EE60C1C4CBDCDCD2EFD2A uses weak digest algorithm (SHA1)

  • plexpass/plexmediaserver (Tried to contact via IRC - no answer)

    • W: http://shell.ninthgate.se/packages/debian/dists/plexpass/InRelease: Signature by key 50EE969049C1996AD773A391E639BFCB72740199 uses weak digest algorithm (SHA1)

  • Ring (contacted via email)

    • W: gpgv:/var/lib/apt/lists/nightly.apt.ring.cx_debian%5f8_dists_ring_InRelease: The repository is insufficiently signed by key A295D773307D25A33AE72F2F64CD5FA175348F84 (weak digest)

  • Slack (Contacted via Support form) (fixed since May 11)

    • W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Signature by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F uses weak digest algorithm (SHA1)

  • Tel.Red (Sky Lync client)

    • W: http://repos.tel.red/debian/dists/stable/Release.gpg: Signature by key 9454C19A66B920C83DDF696E07C8CCAFCE49F8C5 uses weak digest algorithm (SHA1)

  • TVHeadEnd (old repository, contacted via IRC)

  • VideoLAN

    • W: gpgv:/var/lib/apt/lists/download.videolan.org_pub_debian_stable_Release.gpg: The repository is insufficiently signed by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 (weak digest)

  • MySQL (no xenial repo available yet either)

    • W: http://repo.mysql.com/apt//ubuntu/dists/wily/InRelease: Signature by key A4A9406876FCBD3C456770C88C718D3B5072E1F5 uses weak digest algorithm (SHA1)

  • Shutter

    • W: http://ppa.launchpad.net/shutter/ppa/ubuntu/dists/wily/InRelease: Signature by key 5017D4931D0ACADE295B68ADFC6D7D9D009ED615 uses weak digest algorithm (SHA1)

  • SWI-Prolog (cantacted via Google Group)

    • W: http://ppa.launchpad.net/swi-prolog/stable/ubuntu/dists/vivid/Release.gpg: Signature by key 73E75048FF27533C0D8DC521EF8406856DBFCA18 uses weak digest algorithm (SHA1)

Fixing half-broken repositories

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).

Compliant repositories

The following 3rd party repositories are compliant.

  • Charles Proxy - fixed as of July 25
  • Enpass
  • Dropbox
  • Insync - contacted via email and fixed
  • Hipchat 4 - fixed on May 16 (support ticket: https://jira.atlassian.com/browse/HCPUB-369)

  • Liquorix - contacted via IRC, now fixed.
  • Microsoft dotnet CLI repository
  • Nuvola Player
  • Opera
  • sensu - fixed since April 22
  • Skype (repo.skype.com)
  • Spotify - fixed since March 31
  • Steam - fixed March 21
  • Syncthing
  • SpiderOakONE - fixed since May 16
  • Ubuntu PPAs
  • Virtualbox
  • Vivaldi