As a workaround, a long time ago I added "digest-algo sha256" to the gpg.conf file on the local signer system, like so:
# See http://askubuntu.com/questions/819641/reprepro-signature-by-key-uses-weak-digest-algorithm-sha1
# and https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
digest-algo sha256
It would be more robust if merfi ran gpg2 with the --digest-algo SHA256 argument every time, so we did not depend on the state of the local .gpg.conf file.
Apt on Ubuntu Xenial (and newer) will warn if the Apt repo GPG signatures are SHA1 instead of SHA256.
Background links:
By default, gnupg2 has a sha1 digest algorithm.
As a workaround, a long time ago I added "digest-algo sha256" to the
gpg.conf
file on the local signer system, like so:It would be more robust if merfi ran
gpg2
with the--digest-algo SHA256
argument every time, so we did not depend on the state of the local.gpg.conf
file.