Page MenuHomePhabricator

Weak digest algorithm (SHA1) used to sign InRelease on apt.wikimedia.org
Open, MediumPublic

Description

This warning gets displayed when running apt-get update on a Debian Sid system:

W: http://apt.wikimedia.org/wikimedia/dists/jessie-wikimedia/InRelease: Signature by key DB3DC2BD4CD504EF2D908FC509DBD9F93F6CD44A uses weak digest algorithm (SHA1)

Event Timeline

ema created this task.Apr 11 2016, 10:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 11 2016, 10:52 AM
ema triaged this task as Medium priority.Apr 12 2016, 6:02 PM

Mentioned in SAL (#wikimedia-operations) [2017-03-29T08:39:24Z] <ema> apt.w.o: set digest-algo to sha256 in gpg.conf T132325

ema added a comment.Mar 29 2017, 8:40 AM

Support for signatures using SHA1 has been disabled altogether starting with apt 1.4~beta1:

W: Failed to fetch http://apt.wikimedia.org/wikimedia/dists/jessie-wikimedia/InRelease The following signatures were invalid: DB3DC2BD4CD504EF2D908FC509DBD9F93F6CD44A

I've added digest-algo sha256 at the bottom of install1002:/root/.gnupg/gpg.conf and that fixed the problem (after calling reprepro export).

faidon added a subscriber: faidon.Apr 3 2017, 4:53 PM

First off, I'm surprised that sid's apt worked with the jessie-wikimedia suite, since jessie-wikimedia is signed with a weak DSA key that shouldn't be accepted by newer apt (I've generated a new RSA4096 key that signs stretch-wikimedia onwards, e301f4a180e6d0e9080ca8af38cf8eeb94bb41e9, for exactly that reason). Are you sure that your apt works after just this change? That is surprising.

Second, you shouldn't use digest-algo but personal-digest-preferences instead, as the manpage says:

In general, you do not want to use this option as it allows you to violate the OpenPGP standard. --personal-digest-preferences is the safe way to accomplish the same thing.

My gpg.conf has:

personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224`
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

(and I believe these may redundant in gpg2/ >= stretch)

Third, whatever this change ends up being, it should be puppetized, both in case of a reinstall and for the codfw-equivalent of install1002, install2002.

Paladox added a subscriber: Paladox.Apr 3 2017, 4:56 PM