Apt warning

[gregorydk]

After every apt-get update, following warning:

W: gpgv:/var/lib/apt/lists/www.a9f.eu_apt_atom_debian_dists_jessie_InRelease: The repository is insufficiently signed by key A1D267C030C00DCB877900ED939C61C5D1270819 (weak digest)

Probably because you use SHA1 or weak digest algorithms.

[alanfranz]

Thanks for your report. You're probably right, but I need to discover how to enable sha256 in aptly. I'll investigate.

[alanfranz]

I confirm the commit that enables sha256 has been committed only very recently in aptly:

smira/aptly-fork@1069458

I employ stable releases. As soon as a stable release is produced, the repos will be sha256 signed. I'll update this ticket then.

[mfonville]

Just chiming in, that these warnings are enabled by default in Ubuntu Xenial.
So it would probably be most practical for end-users if this update would be available at the moment Xenial will be released.

[alanfranz]

Hello, there was no release from aptly yet. I'll try opening a ticket and see if they do one.

https://github.com/smira/aptly/issues/383

[mfonville]

https://github.com/smira/aptly/releases/tag/v0.9.7
:-D

[alanfranz]

I have updated my aptly instance. The only issue is, redeploying an already deployed snapshot is a bit messy.

Since it's only a warning, I'd just wait for the next Atom release; then the repository will be sha256-signed.

I'll keep this open until such time.

[alanfranz]

Hello,
Atom 1.7.2 has been released. I've tried installing it on a Xenial docker container and succeeded with no warning. Could you confirm everything is currently right?

[mfonville]

Yes, no more warnings :-)
👍