Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update debian build signing to be higher than SHA-256

Description

E-mail from a user:

Currently I'm using your PPA with recently installed Ubuntu 16.04, and
each time I run update APT complains:

W: http://downloads.ortussolutions.com/debs/noarch/Release.gpg:
Signature by key 5BA5CBE89AD1AA71B8ADDD6F7D32E5396DA70622 uses weak
digest algorithm (SHA1)

This doesn't prevent me from installing the CommandBox, but you may want
to check it out any way.

Link on the subject:

https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/

Gliffy Diagrams

Activity

Show:

Brad Wood June 20, 2017 at 7:47 PM
Edited

Awesome, thanks for helping test! I'll mark this ticket completed.

Joseph Gooch June 20, 2017 at 7:39 PM

Verified working. Was able to install 3.7.0-snapshot-1 without any SHA1 warnings.

Brad Wood June 20, 2017 at 7:08 PM

Brad Wood May 30, 2017 at 11:27 PM

Note from via E-mail.

W: http://downloads.ortussolutions.com/debs/noarch/Release.gpg: Signature by key 5BA5CBE89AD1AA71B8ADDD6F7D32E5396DA70622 uses weak digest algorithm (SHA1)

I believe you just need to add this:
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

To your .gnupg/gpg.conf where the files are being signed.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Fix versions

Priority

Components

Sentry

Created August 3, 2016 at 9:44 PM
Updated June 20, 2017 at 7:47 PM
Resolved June 20, 2017 at 7:47 PM