Use SHA256 digest when signing

[xose]

APT has deprecated SHA1 signatures on repositories since version 1.2.7. Right now it's only a warning when downloading packages from a SHA1-signed repository, but starting in January 2017 it will become an error.

GPG signs using SHA1 by default, but can be configured to sign using SHA256. This should be the default on deb-s3 to avoid issues in the future. SHA256 has been supported in APT since version 0.7.7 (October 2007) so it should be safe to set as default.

To sign with SHA256 right now, the following option can be used: --gpg-options='--digest-algo SHA256'

[richid]

I spent several hours chasing this down today and while this is not the fault of deb-s3 I think making this the default would go a long way toward helping others avoid this.

Thanks for the great little utility.

[jarredkenny]

I agree with @richid. I also spent far too much time trying to figure out why apt was complaining about invalid signatures before finding this issue.

+1 for a default of SHA256