This page keeps track of repositories broken or half-broken by the SHA1 removal. Please note that we intend to shut of SHA1 completely on January 1, 2017.
Feel free to add other affected repositories here.
Broken repositories
The issue errors like "No hash entry found ... which is strong enough for security purposes" and cause a failure.
The cause of this is a missing SHA256 or SHA512 entry in the Release and/or Packages files.
Google repositories (contacted osop at google.com)
Google Chrome (half-broken since March 18th 2016)
Google Music Manager
W:gpgv:/var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.
Google Talk Plugin
W:gpgv:/var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest), W:Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_talkplugin_deb_dists_stable_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.
Spider Oak ONE - Contacted via email
W:gpgv:/var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release.gpg: The repository is insufficiently signed by key FE45E5330B11DCF03247EF49A6FF22FF08C15DD0 (weak digest), W:Failed to fetch http://APT.spideroak.com/ubuntu-spideroak-hardy/dists/release/Release No Hash entry in Release file /var/lib/apt/lists/partial/APT.spideroak.com_ubuntu-spideroak-hardy_dists_release_Release, which is considered strong enough for security purposes, E:Some index files failed to download. They have been ignored, or old ones used instead.
Fixing broken repositories
Repository owners should make sure their release files and Packages files contain SHA256 or SHA512 fields. If they have Sources files, those should contain Checksums-Sha256.
If the repository is also affected by the other error below, that should also be fixed.
Half-broken repositories
These issue warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8).
It means the GPG signature on the Release file was made with SHA1 as the hash (= digest) algorithm.
Bt Sync (Unofficial)
W: gpgv:/var/lib/apt/lists/debian.yeasoft.net_btsync_dists_unstable_InRelease: The repository is insufficiently signed by key 06ABBEA18548527F04A2FC2840FC0CD26BF18B15 (weak digest)
Dropbox
W: gpgv:/var/lib/apt/lists/linux.dropbox.com_ubuntu_dists_wily_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)
Enpass
W: gpgv:/var/lib/apt/lists/repo.sinew.in_dists_stable_InRelease: The repository is insufficiently signed by key B6DA722E2E65721AF54B93966F7565879798C2FC (weak digest)
Google Chrome
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
Insync
W: gpgv:/var/lib/apt/lists/apt.insynchq.com_ubuntu_dists_trusty_InRelease: The repository is insufficiently signed by key 3B158123A580D31A9E86248106BBDC2602DFE7E7 (weak digest)
Liquorix (contacted over IRC)
Open Build Service
W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_home:_emby_xUbuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key 7C73B6B7B0937468962299C50A506F712A7D8A28 (weak digest)
W: gpgv:/var/lib/apt/lists/download.opensuse.org_repositories_isv:_ownCloud:_desktop_Ubuntu%5f15.10_Release.gpg: The repository is insufficiently signed by key F9EA4996747310AE79474F44977C43A8BA684223 (weak digest)
Opera (contacted over twitter)
W: gpgv:/var/lib/apt/lists/deb.opera.com_opera-stable_dists_stable_InRelease: The repository is insufficiently signed by key 419D0ACF314E8E993F7F92E563F7D4AFF6D61D45 (weak digest)
Spotify (contacted via key UID)
W: gpgv:/var/lib/apt/lists/repository.spotify.com_dists_stable_InRelease: The repository is insufficiently signed by key BBEBDCB318AD50EC6865090613B00F1FD2C19886 (weak digest)
Steam
W: gpgv:/var/lib/apt/lists/repo.steampowered.com_steam_dists_precise_InRelease: The repository is insufficiently signed by key BA1816EF8E75005FCF5E27A1F24AEA9FB05498B7 (weak digest)
Ubuntu PPAs (fix pending)
VideoLAN
W: gpgv:/var/lib/apt/lists/download.videolan.org_pub_debian_stable_Release.gpg: The repository is insufficiently signed by key 8F0845FE77B16294429A79346BCA5E4DB84288D9 (weak digest)
Virtualbox
W: gpgv:/var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_wily_InRelease: The repository is insufficiently signed by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 (weak digest)
Vivaldi
W: gpgv:/var/lib/apt/lists/repo.vivaldi.com_archive_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key ED18652D86E25D422EA7CE132CC26F777B8B44A1 (weak digest)
Fixing half-broken repositories
The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.
Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).
Compliant repositories
The following 3rd party repositories are compliant.
- Nuvola Player
- Syncthing