Closed jonpolak closed 8 years ago
graysky2
commented
8 years ago I am not a Debian user... here is the general procedure I use to build and push... can you recommend for me which step I need to add the --digest-algo SHA512 swtich to?
dh_make --copyright MIT --single --indep --email graysky@archlinux.us
dpkg-source --commit
debuild -S
dput ppa:graysky/utils ../profile-sync-daemon_"$pkgver"-1_source.changes
jonpolak
commented
8 years ago I googled around for more than two hours and shamefully I don't have a conclusive answer. The debian wiki implies that they are using gpg to sign the packages and passing the flag --digest-algo SHA256. But they don't give the full command.
Everyone else seems to be using debsigs namely http://askubuntu.com/questions/677471/how-do-you-create-a-signed-deb-package
You're not alone in the errors with apt... google still hasn't updated their chrome signature.
From the debian wiki:
Fixing half-broken repositories
Warnings about insufficiently signed repositories (1.2.7) or weak signatures (1.2.8) means the GPG signature on the Release file was made with SHA1 as the digest algorithm.
The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.
Migrating from DSA to RSA is best done by signing the repository with two keys (old and new one) and shipping the new one to the users. A relatively safe way to ship the key would be to embed it in the package. Some months after those changes, it is OK to drop the old key from the repository and the users machines (if shipped with a package).
On Thu, May 5, 2016 at 11:25 AM, graysky notifications@github.com wrote:
I am not a Debian user... here is the general procedure I use to build and push... can you recommend for me which step I need to add the --digest-algo SHA512 swtich to?
dh_make --copyright MIT --single --indep --email graysky@archlinux.us
dpkg-source --commit debuild -S dput ppa:graysky/utils ../profile-sync-daemon_"$pkgver"-1_source.changes
— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/graysky2/profile-sync-daemon/issues/165#issuecomment-217233899
graysky2
commented
8 years ago Thank you for looking... I too spent a considerable amount of time looking but without anything meaningful. I have just updated psd to v6.22 but I'd like to get this key thing solved before I update the debian/ubuntu repo.
jonpolak
commented
8 years ago Hey Google fixed their weak SHA1 hash. Yours is still reporting an issue. I found this info:
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256 digest-algo SHA256
to your gpg.conf file.
Our project has it ticketed* here https://github.com/ros-infrastructure/buildfarm_deployment/issues/130* which should have an example of how to fix it for our deployment mechanism.
On Wed, May 25, 2016 at 11:49 AM, graysky notifications@github.com wrote:
Thank you for looking... I too spent a considerable amount of time looking but without anything meaningful. I have just updated psd to v6.22 but I'd like to get this key thing solved before I update the debian/ubuntu repo.
— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/graysky2/profile-sync-daemon/issues/165#issuecomment-221670488
graysky2
commented
8 years ago The short hand is to append cert-digest-algo SHA256 digest-algo SHA256
I did this and build 6.23 just now. Please verify that the new algorithm is in fact in use.
jonpolak
commented
8 years ago No Errors!!
On Wed, Jun 29, 2016 at 9:58 AM, graysky notifications@github.com wrote:
The short hand is to append cert-digest-algo SHA256 digest-algo SHA256
I did this and build 6.23 just now. Please verify that the new algorithm is in fact in use.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/graysky2/profile-sync-daemon/issues/165#issuecomment-229420013, or mute the thread https://github.com/notifications/unsubscribe/ABum---vjez19jy7E0eNicIQQmzA99Adks5qQqQlgaJpZM4IXWM6 .
graysky2
commented
8 years ago Thank you for pointing this issue out and for providing the solution :thumbsup:
Hi Debian/Ubuntu is removing SHA1 support from APT.. Repos need to be signed with SHA2. APT Sha1Removal.