[X2Go-Dev] Repository signing uses weak digest algorithm (SHA1)
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Mon Jul 18 14:17:42 CEST 2016
Hi Mihai,
On Sa 16 Jul 2016 09:49:04 CEST, Mihai Moldovan wrote:
> On 08.07.2016 11:40 AM, Mike Gabriel wrote:
>> Control: close -1
>>
>> On Di 26 Apr 2016 14:12:45 CEST, Christian Kreidl wrote:
>>
>>> Package: packages.x2go.org
>>>
>>> Hi!
>>>
>>> Repository signing with SHA1 is deprecated in testing:
>>>
>>> http://packages.x2go.org/debian/dists/stretch/InRelease: Signature by key
>>> 972FD88FA0BAFB578D0476DFE1F958385BFE2B6E uses weak digest algorithm (SHA1)
>>>
>>> Please update your configuration to use SHA256:
>>> https://wiki.debian.org/SettingUpSignedAptRepositoryWithReprepro#Generating_GnuPG_keys
>>>
>>> Thanks!
>>
>> Done. Actually, digest-algo is now SHA512.
>
> Are you sure that this is fixed? Don't we need to regenerate the keys or at
> least re-sign all (*.deb?) packages?
>
>
>
> Mihai
I think it is solved, as I don't see any APT warnings anymore on my
stretch/sid machines.
What I did: echo "digest-algo SHA512" >> ~/.gnupg/gpg.conf.
And then I re-exported all reprepro repos. This re-exporting updated
the signature on various repo files (Packages.gz and such).
Packages themselves are not stored / signed in the archive. The
signing is required during upload and package installation into the
repo, but the signature information is not stored in the repo itself.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20160718/0c5ebf90/attachment.pgp>
More information about the x2go-dev
mailing list