apt repository error on debian stretch

Karsten Heymann

unread,

Jun 4, 2018, 4:20:05 PM6/4/18

to Synnefo

Hi,

trying to install the grnet debian repository on debian stretch results in a error:

# cat /etc/apt/sources.list.d/grnet.list

deb http://apt.dev.grnet.gr stretch/

# curl https://dev.grnet.gr/files/apt-grnetdev.pub | sudo apt-key add -

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 3153 100 3153 0 0 8706 0 --:--:-- --:--:-- --:--:-- 8709

OK

# sudo apt update

[...]

Reading package lists... Done

W: GPG error: http://apt.dev.grnet.gr stretch/ Release: The following signatures were invalid: 9A4AC77EA5498A8A4CC1B9149BF4F425D32A1B4C

E: The repository 'http://apt.dev.grnet.gr stretch/ Release' is not signed.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

Is this a user or documentation error or does the repository need to be fixed?

Best regards

Karsten

Benjamin Redling

unread,

Jun 20, 2018, 1:09:19 PM6/20/18

to syn...@googlegroups.com

Bump.

I'm interested to because it affects us too.

Benjamin

--
FSU Jena | JULIELab.de/Staff/Benjamin+Redling.html
☎ +49 3641 9 44323

Brian Candler

unread,

Jul 3, 2018, 7:41:47 AM7/3/18

to Synnefo

I use these repos with Ubuntu 16.04 and they work fine, but I get a warning about SHA1 being used.

W: http://repo.noc.grnet.gr/dists/wheezy/InRelease: Signature by key 2BEC47278EE2E4E2C46817471A803C71BAEC912E uses weak digest algorithm (SHA1)

W: http://apt.dev.grnet.gr/xenial/Release.gpg: Signature by key 9A4AC77EA5498A8A4CC1B9149BF4F425D32A1B4C uses weak digest algorithm (SHA1)

It looks like in Stretch they finally disabled SHA1 entirely.

https://serverfault.com/questions/880640/why-do-i-get-this-apt-warning-signature-by-key-uses-weak-digest-algorithm

https://unix.stackexchange.com/questions/387053/debian-9-apt-and-gpg-error-inrelease-the-following-signatures-were-inva

https://wiki.debian.org/SHA-1#APT_meta-data-1

https://wiki.debian.org/Teams/Apt/Sha1Removal

As a temporary workaround, you may be able to add [trusted=yes] to the sources line.

Benjamin Redling

unread,

Jul 3, 2018, 9:04:13 AM7/3/18

to syn...@googlegroups.com

> <https://unix.stackexchange.com/questions/198000/bypass-gpg-signature-checks-only-for-a-single-repository>
> to the sources line.

Excellent, thanks for the informations; never was on my radar.

BR
--
FSU Jena | JULIELab.de/Staff/Redling/

Reply all

Reply to author

Forward