自 apt 1.4 以来，debian 仓库中带有 SHA1 的 Release.gpg 不受信任 #215

氧化还原

由于 apt 的 1.4 版（目前在 sid 中），不支持 debian 存储库中的 SHA1 哈希：

apt (1.4~beta1) unstable; urgency=medium                                                                                                                     
                                                                                                                                                             
  Support for GPG signatures using the SHA1 or RIPE-MD/160 hash                                                                                              
  algorithms has been disabled. Repositories using Release files                                                                                             
  signed in such a way will stop working. This change has been made                                                                                          
  due to security considerations, especially with regards to possible                                                                                        
  further breakthroughs in SHA1 breaking during the lifetime                                                                                                 
  of this APT release series.                                                                                                                                
                                                                                                                                                             
  It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous                                                                                    
  behaviour by setting the options                                                                                                                           
    APT::Hashes::SHA1::Weak "yes";                                                                                                                           
    APT::Hashes::RIPE-MD/160::Weak "yes";                                                                                                                    
  Note that setting these options only affects the verification of the overall                                                                               
  repository signature.                                                                                                                                      
                                                                                                                                                             
 -- Julian Andres Klode <jak@debian.org>  Fri, 25 Nov 2016 13:19:32 +0100

并从 linuxcnc debian repo 更新导致以下错误：

$ apt update
[...]
Err:14 http://linuxcnc.org jessie Release.gpg
  The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
[...]
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://linuxcnc.org jessie Release: The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
W: Failed to fetch http://linuxcnc.org/dists/jessie/Release.gpg  The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
W: Some index files failed to download. They have been ignored, or old ones used instead.

Release.gpg 文件应该使用比 SHA1 更强的散列来签名。

我认为（但我不完全确定）这应该有所帮助：https ://debian-administration.org/users/dkg/weblog/48例如，将您的回购密钥的默认摘要设置为其他内容。

塞布·库兹明斯基

我已经使用 SHA-256 为 http://www.linuxcnc.org和 buildbot.linuxcnc.org 上的 deb 档案重新生成了 Release 签名。

@reox，感谢您将此问题通知我们。

reox 更改了标题 ~~debian repo 上的 SHA1 在 apt 1.4 中不受信任~~ 自 apt 1.4 以来，debian 仓库中带有 SHA1 的 Release.gpg 不受信任 2016 年 11 月 30 日

SebKuzminsky 自己分配了这个 2017 年 3 月 12 日

SebKuzminsky在完成时关闭了它 2017 年 3 月 13 日

自 apt 1.4 以来，debian 仓库中带有 SHA1 的 Release.gpg 不受信任#215

注释