Key uses weak digest algorithm
Solution 1
Please note that we intend to shut off SHA1 completely on January 1, 2017.
Google Chrome's repositories is half-broken since March 18th 2016. So it is issuing the warning. The problem with the Google source is on Google's end so apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You can find the list of all broken and half broken repositories here.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
Solution 2
It's just a silly misunderstanding, caused by the hasty recognition of the development team of apt maintainers about SHA1 algorithm as obsolete. The problem is that it is directly embedded in the source code of APT, but if you're willing to spend an extra 1-2 hours on the self-assembly of the package, I can tell you how to solve this nuisance. So:
sudo aptitude install git --with-recommends
mkdir build && cd build
git clone https://anonscm.debian.org/git/apt/apt.git --recursive && cd apt && git pull && ls
gedit methods/gpgv.cc
(Other cloning URLs can be found at http://anonscm.debian.org/cgit/apt/apt.git/.)
And correct this section of code as present below:
static constexpr Digest Digests[] = {
{Digest::State::Untrusted, "Invalid digest"},
{Digest::State::Untrusted, "MD5"},
{Digest::State::Trusted, "Reserved digest"},
{Digest::State::Trusted, "Reserved digest"},
{Digest::State::Trusted, "Reserved digest"},
{Digest::State::Trusted, "Reserved digest"},
{Digest::State::Trusted, "SHA1"},
{Digest::State::Trusted, "RIPE-MD/160"},
{Digest::State::Trusted, "SHA256"},
{Digest::State::Trusted, "SHA384"},
{Digest::State::Trusted, "SHA512"},
{Digest::State::Trusted, "SHA224"},
};
Then:
dpkg-buildpackage -b -uc -us -nc -rfakeroot
cd .. && rm -vf *dbg* *doc* *dev* && sudo dpkg -i *.deb
sudo apt update
Related videos on Youtube
08 : 40
03 : 53
01 : 23
01 : 13
02 : 18
![Why do I get this APT warning: Signature by key [...] uses weak digest algorithm (SHA1)?](https://i.ytimg.com/vi/R-DBLRVcM8o/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAm4he_BxK4_1lin4oGzsQpB7xLzQ)
02 : 01
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I'am getting this kind of message while updating my ubuntu 16.04 LTS:
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1) W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)Can anyone help me?
-
syncdk about 8 yearsThat's one a hell of a solution +1... until the next update to apt? -
user1603472 about 8 yearsDoes Google know?
-
Rahul K Jha about 8 yearsYes, All repo owners are being notified .
-
Gnimmelf almost 8 yearsCan you elaborate why you think SHA1 is still secure? My understanding (backed up by Wikipedia, for instance) is that it is now possible to generate a collision and thus forge content different to the one that has been signed.
-
Gnimmelf almost 8 years-1 This is just a warning, so no action is necessary. In any case, with the next update, the warning will still appear, even after reinstallation.
-
andy.holmes over 7 yearsNot to flog a dead horse, but how does the possibility of manufactured SHA1 collisions, which would have to be preceded by a breach of repository security, compare in magnitude to the SNAFU of breaking security updates (notably a widely used web browser)?
