Debian community apt-get GPG key and SHA1

Sean Johnson

unread,

Feb 15, 2017, 12:52:24 PM2/15/17

to help-cfengine

The https://cfengine.com/product/community/cfengine-linux-distros/ GPG key for Debian-based systems throws a warning (on Ubuntu 16.04) about it being SHA1.

The annoyance about this is the warning gets output for every apt-get update / upgrade / install operation.

W: https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages/dists/stable/Release.gpg: Signature by key 850614F65F7C006979BCF9EA7061B663A86E7AFA uses weak digest algorithm (SHA1)

I was just wondering if there any plans to update that GPG key.

Thanks,

sean

signature.asc

Nick Anderson

unread,

Feb 15, 2017, 3:15:59 PM2/15/17

to Sean Johnson, help-cfengine

Sean Johnson <se...@ttys0.net> writes:

> The https://cfengine.com/product/community/cfengine-linux-distros/ GPG key for Debian-based systems throws a warning (on Ubuntu 16.04) about it being SHA1.
>
> The annoyance about this is the warning gets output for every apt-get update / upgrade / install operation.
>

> —

> W: https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages/dists/stable/Release.gpg: Signature by key 850614F65F7C006979BCF9EA7061B663A86E7AFA uses weak digest algorithm (SHA1)
>

> —

>
> I was just wondering if there any plans to update that GPG key.

We did just recently (this week) change the algorithm used for signing the Release
file. Now it's using --digest-algo=SHA256. Was that message from
today? I don't get those warnings on my Ubuntu 16 test box.

wget -qO- https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages/dists/stable/Release.gpg | gpg --list-packets

# off=0 ctb=89 tag=2 hlen=3 plen=277
:signature packet: algo 1, keyid 7061B663A86E7AFA
	version 3, created 1487004746, md5len 5, sigclass 0x00
	digest algo 8, begin of digest a8 89
	data: [2047 bits]

I see digest algo 8 which I believe is SHA256.

–
Nick Anderson
Doer of things, CFEngine

Sean Johnson

unread,

Feb 15, 2017, 5:55:01 PM2/15/17

to help-cfengine

Was that message from today?

Yep, on an Ubuntu 16.04 box.

It took a bit of spelunking, but it looks like the problem is the key gets cached locally :

---
root@ubuntu1604:~# cat /var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg | gpg --list-packets

:signature packet: algo 1, keyid 7061B663A86E7AFA

version 3, created 1482856379, md5len 5, sigclass 0x00
digest algo 2, begin of digest c8 2f
data: [2048 bits]

root@ubuntu1604:~# wget -qO- https://cfengine-package-repos.s3.amazonaws.com/pub/apt/packages/dists/stable/Release.gpg | gpg --list-packets

:signature packet: algo 1, keyid 7061B663A86E7AFA
version 3, created 1487004746, md5len 5, sigclass 0x00
digest algo 8, begin of digest a8 89
data: [2047 bits]

---

I deleted the /var/lib/apt/lists/cfengine-package-repos.s3.amazonaws.com_pub_apt_packages_dists_stable_Release.gpg file, and an apt-get update then updated it. I'm kind of surprised that apt doesn't check to see if the key is updated on the remote repository.

Might be worth tossing into the FAQ. :)

Cheers,

sean

signature.asc

Reply all

Reply to author

Forward