Debian repo uses weak SHA1 hashes

[Daniel15]

When using the HHVM Debian repo, apt-get update on Debian and Ubuntu throws this warning:

W: http://dl.hhvm.com/debian/dists/wheezy/InRelease: Signature by key 36AEF64D0207E7EEE352D4875A16E7281BE7A449 uses weak digest algorithm (SHA1)

This is because the InRelease file is signed with SHA1, and SHA1 hashes are being deprecated. You can fix this by adding this to ~/.gnupg/gpg.conf on whichever machine is updating/signing the repo:

cert-digest-algo SHA256
digest-algo SHA256

This will make GPG sign using SHA256 rather than SHA1.

[lexidor]

I am going over old issues on this repository, to see which ones apply to the current versions of hhvm.

I have not verified this, since I install on Ubuntu. (I don't get SHA1 notices there, but this might be something that only reproduces on Debian.) No replies or similar issue has been raised on hhvm since 2016. I'll assume this means the SHA1 hash has been replaced by something that is not deprecated.

The last build of hhvm which was packaged for Debian was published late 2022. If this issue persists in the revamped releases, please open a new issue.