Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue after updating to ubuntu 16.04 #295

Closed
rp3e11 opened this issue Apr 29, 2016 · 0 comments
Closed

Issue after updating to ubuntu 16.04 #295

rp3e11 opened this issue Apr 29, 2016 · 0 comments

Comments

@rp3e11
Copy link

rp3e11 commented Apr 29, 2016

After updating the server we have the agent running on to Ubuntu 16.04
we get the following error:

W: https://apt.buildkite.com/buildkite-agent/dists/stable/Release.gpg:
Signature by key 32A37959C2FA5C3C99EFBC32A79206696452D198 uses weak
digest algorithm (SHA1)

It seems to be related to apt dropping support for SHA1 keys. The same
is supposed to happen with Debian as of January 1st 2017. To my
understanding the fix should be rather straight forward:

https://wiki.debian.org/Teams/Apt/Sha1Removal

boiling down to

The repository owner needs to pass --digest-algo SHA512 or --digest-algo
SHA256 (or another SHA2 algorithm) to gpg when signing the file.
Repositories with DSA keys need to be migrated to RSA first.

Migrating from DSA to RSA is best done by signing the repository with
two keys (old and new one) and shipping the new one to the users. A
relatively safe way to ship the key would be to embed it in the package.
Some months after those changes, it is OK to drop the old key from the
repository and the users machines (if shipped with a package).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rp3e11