Hi Mihai,
On Sa 16 Jul 2016 09:49:04 CEST, Mihai Moldovan wrote:
On 08.07.2016 11:40 AM, Mike Gabriel wrote:
Control: close -1
On Di 26 Apr 2016 14:12:45 CEST, Christian Kreidl wrote:
Package: packages.x2go.org
Hi!
Repository signing with SHA1 is deprecated in testing:
http://packages.x2go.org/debian/dists/stretch/InRelease: Signature by key 972FD88FA0BAFB578D0476DFE1F958385BFE2B6E uses weak digest algorithm (SHA1)
Please update your configuration to use SHA256: https://wiki.debian.org/SettingUpSignedAptRepositoryWithReprepro#Generating_...
Thanks!
Done. Actually, digest-algo is now SHA512.
Are you sure that this is fixed? Don't we need to regenerate the keys or at least re-sign all (*.deb?) packages?
Mihai
I think it is solved, as I don't see any APT warnings anymore on my
stretch/sid machines.
What I did: echo "digest-algo SHA512" >> ~/.gnupg/gpg.conf.
And then I re-exported all reprepro repos. This re-exporting updated
the signature on various repo files (Packages.gz and such).
Packages themselves are not stored / signed in the archive. The
signing is required during upload and package installation into the
repo, but the signature information is not stored in the repo itself.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de