'apt-get update' complains about a weak digest

[ooneed]

recently debian updated the apt* tools to warn about repositories using SHA1. You should update your gpg settings to use a newer hash function (see e.g. https://askubuntu.com/questions/750133/how-can-i-fix-w-the-repository-is-insufficiently-signed-by-the-key, and https://wiki.debian.org/Teams/Apt/Sha1Removal) so that the owncloud installation will work with future debian stable systems.

Steps to reproduce

1. on a debian testing/unstable system, have an entry like the following in /etc/apt/sources.list: deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /
2. run 'apt-get update'

   Expected behaviour

apt-get should download the files from the repository without complaining

Actual behaviour

apt-get gives a warning:

W: gpgv:/var/lib/apt/lists/download.owncloud.org_download_repositories_stable_Debian%5f8.0_Release.gpg: The repository is insufficiently signed by key BCECA90325B072AB1245F739AB7C32C35180350A (weak digest)

[RobinMcCorkell]

cc @jnweiger

[jnweiger]

This calls for a change in both openSUSE's openBuild Service and our own openBuild Service to be consistent.

https://askubuntu.com/questions/750133/how-can-i-fix-w-the-repository-is-insufficiently-signed-by-the-key seems to have some details about the needed procedure. Where one would find the needed $KEYID (or $KEYIDs ?) in a buildservice is unknown.

[RobinMcCorkell]

Apparently @danimo is one step ahead of us: openSUSE/open-build-service#1648

[jnweiger]

thanks

[RobinMcCorkell]

This might be a long shot, but could you try putting the following in $backenddir/gnupg/gpg.conf:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

OBS uses that directory to store all its GPG information, you just need to find out where $backenddir is... (try /srv/obs, or look in /etc/sysconfig/obs-server for $OBS_BASE_DIR)

[jnweiger]

On my obs, /etc/sysconfig/signd contains this:

## Path:        Applications/OBS
## Description: Define gpgp home directory for signing daemon
## Type:        string
## Default:     ""
## Config:      OBS
#
# An empty setting will lead to a check for /obs/gnupg or /srv/obs/gnupg
#
OBS_SIGND_GNUPG_HOME="/root/.gnupg"

The /root/.gnupg/gpg.conf seen there, is full with comments, but none of the needed settings are mentioned.

[RobinMcCorkell]

@jnweiger Try adding the mentioned settings on new lines, then trigger a rebuild of the package index. At worst, you'll end up with exactly the same SHA1 problem (or OBS baulks and stops the process).

[jnweiger]

One thing that could be even worse: All new keys look like different keys and need to be accepted by end users again. Then I'll revert and wait for an official solution from openSUSE.

I have found a test against the Packages file that says SHA-1. I'll build the new 9.0.1 RC1 packages for testing with the SHA256 suggestion. Let's see if the test will then say SHA-2 or somehting...

[jnweiger]

No luck so far. Tomorrow I'll try to add step 2. as explained in https://askubuntu.com/questions/750133/how-can-i-fix-w-the-repository-is-insufficiently-signed-by-the-key using the key ID printed by that test:

gpg2 -v /srv/obs/repos/ce:/9.0:/testing/Debian_8.0/Release.gpg
Version: GnuPG v1.0.7 (GNU/Linux)
Detached signature.
Please enter name of data file: /srv/obs/repos/ce:/9.0:/testing/Debian_8.0/Release
gpg: armor header: 
gpg: Signature made Wed Mar 30 01:34:49 2016 MEST using RSA key ID 5180350A
gpg: using PGP trust model
gpg: Good signature from "ce OBS Project "
gpg: binary signature, digest algorithm SHA1

Strange that claims to be version 1.0.7, my /usr/bin/gpg2 belongs to gpg2-2.0.19-5.16.1.x86_64.rpm

[RobinMcCorkell]

Conveniently OBS is using the root gpg store, so as root you should just be able to run gpg --list-secret-keys and see the key with ID 5180350A there, and you can perform the edit as described in the AskUbuntu post.

[RobinMcCorkell]

Actually, bad news. I've looked at the OBS source in detail, and it doesn't actually use GPG to do the signing (I know... :see_no_evil: ) It uses obs-sign, installed to /usr/bin/sign, which appears to be a custom C program (!!!) just to do signing for OBS.

The good news is that obs-sign actually has the ability to do SHA256 signing (SHA1 by default, hence this problem). The bad news is that there is no config file that can pass the necessary option to trigger that. The only way you can enable SHA256 is by editing the Perl scripts that make up OBS to pass the necessary option. Specifically, apply this patch to /usr/lib/obs/server/bs_publish:

--- bs_publish.orig     2016-03-30 01:33:02.114589740 +0100
+++ bs_publish  2016-03-30 01:35:59.596237637 +0100
@@ -1790,6 +1790,7 @@
     $signargs = [ '-P', "$uploaddir/publisher.$$" ];
     undef $pubkey unless $pubkey && length($pubkey) > 2;       # not a valid pubkey
   }
+  push @$signargs, '--hash', 'sha256';
   if (!$pubkey) {
     if ($BSConfig::sign_project && $BSConfig::sign) {
       local *S;

Disclaimer: the above patch is completely untested and may break things horribly. You have been warned. Theoretically it should just change the hashing algorithm from SHA1 to SHA256, but the obs-sign code is in C, so who knows what side effects there are...

[ghost]

Ref to the upstream issue: https://github.com/openSUSE/obs-sign/issues/5 and the one in client: https://github.com/owncloud/client/issues/4596

[mlschroe]

OBS master/2.7 already uses sha256.

[jnweiger]

@Xenopathic Option --hash does not really exist. We should stick with the short -h option. After a review session with @mlschroe -- this is the patch I am using now in my OBS:

--- /usr/lib/obs/server/bs_signer.orig  2016-05-04 17:09:11.000000000 +0200
+++ /usr/lib/obs/server/bs_signer       2016-05-04 17:11:28.000000000 +0200
@@ -378,6 +378,9 @@
     }
     unlink("$jobdir/.checksums");
+    # FIXES: https://github.com/owncloud/core/issues/23599
+    push @signargs, '-h', 'sha256';
+
     my $followupspec;
     if (!$info->{'followupfile'} && grep {/\.rsasign$/} @signfiles) {
       $followupspec = (grep {/\.spec$/} @files)[0];
--- /usr/lib/obs/server/bs_publish.orig 2016-05-04 17:12:46.000000000 +0200
+++ /usr/lib/obs/server/bs_publish      2016-05-04 14:34:21.000000000 +0200
@@ -1649,6 +1649,9 @@
     }
   }
+  # FIXES: https://github.com/owncloud/core/issues/23599
+  push @$signargs, '-h', 'sha256';
+
   # get all patterns
   my $patterns = [];
   if ($proj->{'patternmd5'}) {

[jnweiger]

@ooneed can you please check the Debian8 builds in http://download.owncloud.org/download/repositories/9.0:/testing

We have a fix there!

[ooneed]

I ran the 'apt-get update' with your new repository URL, and it looks good: no longer any messages about a weak hash.

thank you!

[jnweiger]

'Great. Thanks @ooneed for testing. Closed fixed.

[rloutrel]

Might I point you this https://github.com/openSUSE/open-build-service/commit/2b3f4890e743691b3a880631d562d2a130d79dc7 which seems to be the official approach from OBS

Edit: Apparently it was already mentioned above...

[takenek]

When will be merge to stable ? Got it in sources.list: deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /

and still: W: http://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.gpg: Signature by key BCECA90325B072AB1245F739AB7C32C35180350A uses weak digest algorithm (SHA1)

Best Regards TaKeN

[sukramblak]

Some Feedback from the Suse obs people for this .... https://github.com/openSUSE/obs-sign/issues/5

And yes the key from testing https://download.owncloud.org/download/repositories/9.0:/testing/Debian_8.0/Release.key is a rsa key which supports sha256 digest algo.

How long will it take to merge this into stable ... using the testing repo is no option for my production env at the moment.

[lijunle]

Get same warning on Ubuntu with repo http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.gpg

Is there is plan to ship the fix into stable repo?

[mrjester888]

This issue hasn't been fixed on Ubuntu 16.04.1 with ownCloud version 9.1.1

W: http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.gpg: Signature by key DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B uses weak digest algorithm (SHA1)

[takenek]

Problem back: W: http://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.gpg: Signature by key DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B uses weak digest algorithm (SHA1)

[ozsk]

Same problem with repo: W: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/Release.gpg: Signature by key F9EA4996747310AE79474F44977C43A8BA684223 uses weak digest algorithm (SHA1)

[ghost]

@ozsk https://github.com/owncloud/client/issues/5055

[mlschroe]

I can't do anything for the repo on download.opensuse.org, as this uses an old DSA key. The owncloud folks have to create a new key on OBS to fix this (osc signkey --create). People will notice the key change, though.

[jnweiger]

We plan to create new keys own Sunday. See https://github.com/owncloud/client/issues/5055 I am surprised we still have bad keys in http://download.owncloud.org/download/repositories/stable/ they should have been generated last week with a new obs 2.7.0 installation. My understanding was, that this version of obs would generate modern RSA keys. I'll have to double check that too.

[ghost]

I am surprised we still have bad keys in http://download.owncloud.org/download/repositories/stable/ they should have been generated last week with a new obs 2.7.0 installation.

There are people reporting stuff like the following since a few days so it seems the new key generation worked. But maybe that has still a weak signature?

(20:35:47) panchonb: W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.owncloud.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 47AE7F72479BC94B W: Failed to fetch http://download.owncloud.org/download/repositories/stable/Ubuntu_14.04/Release W: Some index files failed to download. They

[rloutrel]

Or any action is do be done and does not match this one.

Please see my suggestion there.

[ghost]

@rloutrel Nope, people are reporting that on existing installations where previous keys where already imported

[effemmeffe]

I just followed the instructions at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client to upgrade my owncloud to latest version and I get the warning at every apt-get update. I read all the thread, but since I know nothing about keys or gpg or anything I don't get if I have to do something on my side like remove some old key or just wait for the problem to be solved on the repository side, can someone please give me some hint about this? TIA

[takenek]

This is problem with repo we need to wait.

[ghost]

There is no problem with the repo (at least not with the client one @effemmeffe is mentioning above). If you're importing the correct key you won't see the issue.

@effemmeffe The link above explains how you have to import the key

[effemmeffe]

@RealRancor I'm sorry, I dont' understand what link are you referring to. In my previous message I put a link to the procedure I followed to import the key and after I did that I got the warning. How do I get rid of it?

[ghost]

@effemmeffe Maybe you need to delete an previous imported key before: https://github.com/owncloud/client/issues/5055#issuecomment-250558635

Btw. everything concerning https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client should be discussed in that issue above.

[takenek]

First time i got problem like this take a look: I delete completly all keys:

root@taken:~# apt-key list
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   4096R/2B90D010 2014-11-21 [wygasa: 2022-11-19]
      Odcisk klucza = 126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
uid                  Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   4096R/C857C906 2014-11-21 [wygasa: 2022-11-19]
      Odcisk klucza = D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
uid                  Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   4096R/518E17E1 2013-08-17 [wygasa: 2021-08-15]
      Odcisk klucza = 75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
uid                  Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [wygasa: 2018-03-05]
      Odcisk klucza = 9FED 2BCB DCD2 9CDF 7626  78CB AED4 B06F 4730 41FA
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [wygasa: 2017-08-05]
      Odcisk klucza = 0E4E DE2C 7F3E 1FC0 D033  800E 6448 1591 B983 21F9
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [wygasa: 2020-04-25]
      Odcisk klucza = A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [wygasa: 2019-05-07]
      Odcisk klucza = ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>

and do like in https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client and got:

root@taken:~# wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Debian_8.0/Release.key
--2016-09-30 09:21:38--  http://download.opensuse.org/repositories/isv:ownCloud:desktop/Debian_8.0/Release.key
Translacja download.opensuse.org (download.opensuse.org)... 195.135.221.134, 2001:67c:2178:8::13
Łączenie się z download.opensuse.org (download.opensuse.org)|195.135.221.134|:80... połączono.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź... 301 Moved Permanently
Lokalizacja: http://download.opensuse.org/repositories/isv:ownCloud:/desktop/Debian_8.0/Release.key [podążanie]
--2016-09-30 09:21:38--  http://download.opensuse.org/repositories/isv:ownCloud:/desktop/Debian_8.0/Release.key
Ponowne użycie połączenia do download.opensuse.org:80.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź... 301 Moved Permanently
Lokalizacja: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Debian_8.0/Release.key [podążanie]
--2016-09-30 09:21:38--  http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Debian_8.0/Release.key
Ponowne użycie połączenia do download.opensuse.org:80.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź... 200 OK
Długość: 1098 (1,1K) [application/pgp-keys]
Zapis do: `Release.key'

Release.key                                                 100%[========================================================================================================================================>]   1,07K  --.-KB/s    in 0s

2016-09-30 09:21:38 (417 MB/s) - zapisano `Release.key' [1098/1098]

root@taken:~# apt-key add - < Release.key
OK

And got after apt-get update: W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.owncloud.org/download/repositories/stable/Debian_8.0 Release: Następujące podpisy nie mogły zostać zweryfikowane z powodu braku klucza publicznego: NO_PUBKEY 47AE7F72479BC94B

So i add key:

root@taken:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 47AE7F72479BC94B
Executing: /tmp/tmp.a5ClOtDMAT/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
47AE7F72479BC94B
gpg: zapytanie o klucz 479BC94B w serwerze hkp keyserver.ubuntu.com
gpg: klucz 479BC94B: klucz publiczny ,,ownCloud build service <obsrun@localhost>'' wczytano do zbioru
gpg: Ogółem przetworzonych kluczy: 1
gpg:          dołączono do zbioru: 1  (RSA: 1)

root@taken:~# apt-get update
W: http://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.gpg: Signature by key DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B uses weak digest algorithm (SHA1)

Like You see still same problem.

[rloutrel]

@takenek (and maybe also @effemmeffe) : you are not using the good repository (but an obsolete one)

W: http://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.gpg

Should not refer to owncloud.org but to opensuse.org (if you import the key from there, like your wget suggests it)

I am an ubuntu user, but I assume, this is also for debian relevant

Check the documentation to get the correct repository URI.

And out of topic: your installation seems to be a consequence of upgrades and not a fresh install. Maybe you should verify and validate all other manually entered repository, if they still are actual.

[effemmeffe]

I made some confusion, sorry. The opensuse repository is used to download the client, that one is well signed. The weak digest is referring to the repository used to download the program itself: https://download.owncloud.org/download/repositories/stable/owncloud/ Of course I still have the problem, will appreciate any suggestion on how to solve or where to report it.

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.