Re: repository uses weak digest algorithm (SHA1)

2016-08-07 Thread Rui Miguel P. Bernardo 
Hi Matthias,

I had a similar problem with my repository in stretch testing/unstable
earlier this year. I had to change the reprepro (a repository manager)
configuration to explicitly sign the repository and the release file. The
key didn't need to be changed.

I've then searched for a way to make apt-get ignore or silent the warning
with some setting in /etc/apt/apt.conf.d/ but I have found nothing. Maybe
someone else knows how.

The only way to make the warning disappear was to update reprepro
configuration as I did in my repository.

I guess you'll have to report this to Linux Mint team.

Em 04/08/2016 21:56, "Matthias Bodenbinder" 
escreveu:
>
> Hi,
>
> I have a weird signature issue with an LMDE Mint repository. I know that
this is not pure debian but nevertheless I think my question is best posted
here.
>
> The issue is: I have 4 PC and 1 laptop at home. All running LMDE2. When I
do "apt-get update" the PCs have no issue. But the laptop says:
>
> # last 2 lines of "apt-get update" output
> W: http://linux-mint.froonix.org/dists/betsy/Release.gpg: Signature by
key E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm
(SHA1)
> W: http://extra.linuxmint.com/dists/betsy/Release.gpg: Signature by key
E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm (SHA1)
> ##
>
> I reinstalled all keyring debs on the laptop.
>
>
>
> I am using the exact same sources on the laptop and the PCs (rsync of
/etc/apt/sources.list*). During the last test I even rsync'ed all
/etc/apt/trusted* to the laptop.
>
> I tried to fetch it via apt-key:
>
> ##
> # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
E1A38B8F144675D060EA666F3EE67F3D0FF405B2
> Executing: /tmp/tmp.9xZlldxhO9/gpg.1.sh --keyserver
> keyserver.ubuntu.com
> --recv-keys
> E1A38B8F144675D060EA666F3EE67F3D0FF405B2
> gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
> gpg: key 0FF405B2: "Clement Lefebvre (Linux Mint Package Repository v1) <
r...@linuxmint.com>" not changed
> gpg: Total number processed: 1
> gpg:  unchanged: 1
> ##
>
> But the laptop keeps throwing these signature warnings - and only the
laptop. Why is that?
>
> Thank you for your help.
> Matthias
>
>

repository uses weak digest algorithm (SHA1)

2016-08-04 Thread Matthias Bodenbinder 
Hi,

I have a weird signature issue with an LMDE Mint repository. I know that this 
is not pure debian but nevertheless I think my question is best posted here.

The issue is: I have 4 PC and 1 laptop at home. All running LMDE2. When I do 
"apt-get update" the PCs have no issue. But the laptop says:

# last 2 lines of "apt-get update" output
W: http://linux-mint.froonix.org/dists/betsy/Release.gpg: Signature by key 
E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm (SHA1)
W: http://extra.linuxmint.com/dists/betsy/Release.gpg: Signature by key 
E1A38B8F144675D060EA666F3EE67F3D0FF405B2 uses weak digest algorithm (SHA1)
##

I reinstalled all keyring debs on the laptop. 



I am using the exact same sources on the laptop and the PCs (rsync of 
/etc/apt/sources.list*). During the last test I even rsync'ed all 
/etc/apt/trusted* to the laptop. 

I tried to fetch it via apt-key:

##
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 
E1A38B8F144675D060EA666F3EE67F3D0FF405B2
Executing: /tmp/tmp.9xZlldxhO9/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
E1A38B8F144675D060EA666F3EE67F3D0FF405B2
gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
gpg: key 0FF405B2: "Clement Lefebvre (Linux Mint Package Repository v1) 
" not changed
gpg: Total number processed: 1
gpg:  unchanged: 1
##

But the laptop keeps throwing these signature warnings - and only the laptop. 
Why is that? 

Thank you for your help.
Matthias