etagecom.io repsitories signed with sha1

[matt9j]

Hello! Starting in apt version 1.4 gpg certificates using sha1 as the digest algorithm have been disabled (see this blogpost https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/). This impacts debian9 and ubuntu 16.04 or later. It looks like the repository maintainers need to re-generate the repository signing keys using a modern digest algorithm (https://unix.stackexchange.com/questions/387053/debian-9-apt-and-gpg-error-inrelease-the-following-signatures-were-inva). I originally found this issue working to deploy a community cellular manager osomocom client onto a debian9 machine. Let me know if there is any more info I can provide. Cheers, -Matt J.

apt-get update errors:

W: GPG error: http://repo.endaga.com dev Release: The following signatures were invalid: 916E6D307A1F68A97BE79BA8982FB270664644E6
E: The repository 'http://repo.endaga.com dev Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://repo.etagecom.io dev Release: The following signatures were invalid: FDA0AA1640DB1B4741F0135FF1757AA7673FFA94
E: The repository 'http://repo.etagecom.io dev Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://repo.etagecom.io test Release: The following signatures were invalid: FDA0AA1640DB1B4741F0135FF1757AA7673FFA94
E: The repository 'http://repo.etagecom.io test Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://repo.etagecom.io beta Release: The following signatures were invalid: FDA0AA1640DB1B4741F0135FF1757AA7673FFA94
E: The repository 'http://repo.etagecom.io beta Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://repo.etagecom.io stable Release: The following signatures were invalid: FDA0AA1640DB1B4741F0135FF1757AA7673FFA94
E: The repository 'http://repo.etagecom.io stable Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

pgpdump of downloaded etagecom.io public key showing SHA1 as the digest:

vagrant@endaga-client-osmocom:~$ pgpdump pubkey.gpg 
Old: Public Key Packet(tag 6)(525 bytes)
        Ver 4 - new
        Public key creation time - Sat Dec  5 21:14:07 GMT 2015
        Pub alg - RSA Encrypt or Sign(pub 1)
        RSA n(4096 bits) - ...
        RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(35 bytes)
        User ID - Package Repo <packages@etagecom.io>
Old: Signature Packet(tag 2)(568 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA1(hash 2)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Sat Dec  5 21:14:07 GMT 2015

...

[9muir]

Doesn't @kheimerl have access to the endaga.com repo? I think he and @shaddi are the repo maintainers.

[kheimerl]

Yes I can update the endaga one, not the etage one.

On Tue, Jan 16, 2018 at 1:14 PM, Steve Muir notifications@github.com wrote:

Doesn't @kheimerl https://github.com/kheimerl have access to the endaga.com repo? I think he and @shaddi https://github.com/shaddi are the repo maintainers.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/facebookincubator/CommunityCellularManager/issues/91#issuecomment-358107930, or mute the thread https://github.com/notifications/unsubscribe-auth/AA_rnziD5fDCPUEd0cTLEfq2yNeAdZlUks5tLREqgaJpZM4RbrY8 .