5

I'm hosting a private Debian repository for some custom Raspberry Pi code. I originally built the software on Raspbian Jessie (version 8), generated a GPG key which I use to sign the repository, and ran sudo apt-key add ... on all the devices, to ensure that they would be able to authenticate my repository. This worked fine, until lately I add some new devices running Raspbian Stretch (version 9). Even though I added the exact same GPG key to them, here is the output I see when I run sudo apt-get update:

W: GPG error: http://url.of.private.repo stable Release: The following signatures were invalid: 95F9B44CE35F40B759D59C2A77E4184C595493B1
W: The repository 'http://url.of.private.repo stable Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

However, this only happens on the newer boxes. On the Pis that are still running Jessie, I can run sudo apt-get update all I want and it does not give me any authentication warnings.

Why is that the Pis running Stretch think the GPG key is invalid, even though they're all sharing the same key? I could generate a new key on a box running Stretch, but I am hoping to avoid adding new GPG keys to every single Jessie box. (Right now I have only a handful of the new boxes running Stretch, whereas ~200 of the boxes are still running Jessie.) What can I do to convince the Stretch boxes that this GPG key is, in fact, valid?

As requested, below is the output from the sudo apt-get -o Debug::Acquire::gpgv=true update command, on both platforms:

soapergem
  • 719
  • 4
  • 13
  • 29
  • Is the Release file signed? – gxx Oct 27 '17 at 14:57
  • 1
    Yes, the Release file is signed with this GPG key. Which the Jessie boxes recognize, but for some reason the Stretch boxes aren't recognizing. – soapergem Oct 27 '17 at 14:58
  • Please show the output of `sudo apt-get -o Debug::Acquire::gpgv=true update`. – gxx Oct 27 '17 at 15:02
  • @gf_ I added links to the output, from each platform respectively. Also, I tried it out on a third platform and saw a different warning: W: http://url.of.private.repo/dists/stable/Release.gpg: Signature by key 95F9B44CE35F40B759D59C2A77E4184C595493B1 uses weak digest algorithm (SHA1) – soapergem Oct 27 '17 at 16:55
  • The error you've got regarding "weak digest algorithm" is just this. Use SHA256 to solve it. Regarding the actual error: What is the key `95F9B44CE35F40B759D59C2A77E4184C595493B1`? Is it yours? A sub key? – gxx Oct 27 '17 at 17:11
  • That's the ID of my GPG key – soapergem Oct 27 '17 at 17:11
  • So if I'm understanding you correctly... are you suggesting that Jessie was OK with SHA1 signing, but Stretch may be configured by default to require SHA256 instead? – soapergem Oct 27 '17 at 17:14
  • 1
    The switch was made in [March 2016](https://tracker.debian.org/news/755358). That's the source of the "weak digest" you're getting. I'm unsure if the error your question was originally about is related to this. The debug outputs are different, especially the last paragraph in the `stretch` output: `Got untrusted VALIDSIG, key ID: 95F9B44CE35F40B759D59C2A77E4184C595493B1`. It seems a trust issue, but I'm unsure why is that. – gxx Oct 27 '17 at 17:19
  • Excellent! I just re-signed the Releases file with a stronger algorithm (SHA256) and now the Stretch boxes are no longer complaining about anything. If you wanted to submit that as an answer, I'd mark it correct. – soapergem Oct 27 '17 at 19:09
  • Great, glad to help. I've posted an answer with some more details. All the best and good luck! – gxx Oct 27 '17 at 19:23
  • Could you make the title more generic, to increase the chance people will find this question if dealing with this problem? – gxx Oct 27 '17 at 19:27
  • Sure, do you have any suggestions? – soapergem Oct 27 '17 at 19:28
  • Maybe something like: "APT: Signature by key [...] uses weak digest algorithm (SHA1)" or similar? – gxx Oct 27 '17 at 19:29

2 Answers2

2

As per the comments:

SHA1 is assumed weak, therefore Debian decided to switch to stronger hashing algorithms back in March 2016.

Therefore, if operating APT repositories: Deprecate SHA1 and switch (at least) to SHA256.

See this Debian wiki article for a summary regarding the reasoning and this one which keeps track of broken / fixed (upstream) repositories.

gxx
  • 5,483
  • 2
  • 21
  • 42
0

This answer on ask ubuntu fixed it for me: edit ~/gnupg/gpg.conf and add:

cert-digest-algo SHA256
digest-algo SHA256
Michel
  • 161
  • 1
  • 3