How to fix apt: Signature by key uses weak digest algorithm (SHA1)?
Clash Royale CLAN TAG#URR8PPP up vote
123
down vote
favorite
I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.
d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
d@EliteBook:~/Downloads$
I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?
apt
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
 |Â
show 2 more comments
up vote
123
down vote
favorite
I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.
d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
d@EliteBook:~/Downloads$
I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?
apt
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
2
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
1
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38
 |Â
show 2 more comments
up vote
123
down vote
favorite
up vote
123
down vote
favorite
I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.
d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
d@EliteBook:~/Downloads$
I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?
apt
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.
d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
d@EliteBook:~/Downloads$
I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?
apt
apt
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
edited Jun 9 '16 at 16:57
Braiam
50.2k20131214
50.2k20131214
asked Apr 22 '16 at 19:43
dlchang
716264
asked Apr 22 '16 at 19:43
dlchang
716264
asked Apr 22 '16 at 19:43
dlchang
716264
716264
2
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
1
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38
 |Â
show 2 more comments
2
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
1
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38
2
2
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
1
1
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38
 |Â
show 2 more comments
4 Answers
4
active
oldest
votes
up vote
63
down vote
The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
The newer sudo apt update (notice it's just apt) does provide feedback about the results.
By using apt, you will either see a message that
All packages are up to date
or
The following packages will be upgraded:
Also see apt list --upgradeable.
edited Nov 3 '16 at 14:04
amc
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
1
Oh, I didn't know about the newersudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?
– dlchang
Apr 25 '16 at 7:56
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" withapt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).
– Todd
May 18 '16 at 15:21
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
aptdoes not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.
– musiKk
Aug 18 '16 at 5:20
 |Â
show 2 more comments
up vote
32
down vote
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.
There is an overview of broken repositories in the Debian wiki.
answered May 2 '16 at 22:08
webwurst
1,2001110
add a comment |Â
up vote
17
down vote
As @chaskes says this is a problem with the repository not with your computer.
@webwurst has good links to the underlying problem. There's also a clarification about the signatures.
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256
digest-algo SHA256
to your ~/.gnupg/gpg.conf file.
Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
add a comment |Â
up vote
4
down vote
To avoid this error, you can remove the repository.
Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!
If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant
chromium.
This note was added by ByteCommander.
At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.
In there look for an entry like this one:
http://dl.google.com/linux/earth/deb/dists/stable/
and remove it.
Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.
It should stop showing that annoying error message every time you try to update your repositories now.
edited Apr 13 '17 at 12:23
Community♦
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
add a comment |Â
protected by Byte Commander Apr 24 '16 at 18:24
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
63
down vote
The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
The newer sudo apt update (notice it's just apt) does provide feedback about the results.
By using apt, you will either see a message that
All packages are up to date
or
The following packages will be upgraded:
Also see apt list --upgradeable.
edited Nov 3 '16 at 14:04
amc
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
1
Oh, I didn't know about the newersudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?
– dlchang
Apr 25 '16 at 7:56
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" withapt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).
– Todd
May 18 '16 at 15:21
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
aptdoes not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.
– musiKk
Aug 18 '16 at 5:20
 |Â
show 2 more comments
up vote
63
down vote
The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
The newer sudo apt update (notice it's just apt) does provide feedback about the results.
By using apt, you will either see a message that
All packages are up to date
or
The following packages will be upgraded:
Also see apt list --upgradeable.
edited Nov 3 '16 at 14:04
amc
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
1
Oh, I didn't know about the newersudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?
– dlchang
Apr 25 '16 at 7:56
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" withapt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).
– Todd
May 18 '16 at 15:21
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
aptdoes not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.
– musiKk
Aug 18 '16 at 5:20
 |Â
show 2 more comments
up vote
63
down vote
up vote
63
down vote
The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
The newer sudo apt update (notice it's just apt) does provide feedback about the results.
By using apt, you will either see a message that
All packages are up to date
or
The following packages will be upgraded:
Also see apt list --upgradeable.
edited Nov 3 '16 at 14:04
amc
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.
You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.
You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.
The newer sudo apt update (notice it's just apt) does provide feedback about the results.
By using apt, you will either see a message that
All packages are up to date
or
The following packages will be upgraded:
Also see apt list --upgradeable.
edited Nov 3 '16 at 14:04
amc
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
edited Nov 3 '16 at 14:04
amc
4,52862746
edited Nov 3 '16 at 14:04
amc
4,52862746
edited Nov 3 '16 at 14:04
amc
4,52862746
4,52862746
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
answered Apr 25 '16 at 3:55
chaskes
12.8k74058
12.8k74058
1
Oh, I didn't know about the newersudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?
– dlchang
Apr 25 '16 at 7:56
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" withapt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).
– Todd
May 18 '16 at 15:21
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
aptdoes not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.
– musiKk
Aug 18 '16 at 5:20
 |Â
show 2 more comments
1
Oh, I didn't know about the newersudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?
– dlchang
Apr 25 '16 at 7:56
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" withapt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).
– Todd
May 18 '16 at 15:21
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
aptdoes not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.
– musiKk
Aug 18 '16 at 5:20
1
1
Oh, I didn't know about the newer
sudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?– dlchang
Apr 25 '16 at 7:56
Oh, I didn't know about the newer
sudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates?– dlchang
Apr 25 '16 at 7:56
1
1
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
@dlchang That's correct. :)
– chaskes
Apr 25 '16 at 15:13
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" with
apt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).– Todd
May 18 '16 at 15:21
Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" with
apt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately).– Todd
May 18 '16 at 15:21
2
2
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
@Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough.
– MttJocy
May 24 '16 at 2:48
apt does not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.– musiKk
Aug 18 '16 at 5:20
apt does not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them.– musiKk
Aug 18 '16 at 5:20
 |Â
show 2 more comments
up vote
32
down vote
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.
There is an overview of broken repositories in the Debian wiki.
answered May 2 '16 at 22:08
webwurst
1,2001110
add a comment |Â
up vote
32
down vote
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.
There is an overview of broken repositories in the Debian wiki.
answered May 2 '16 at 22:08
webwurst
1,2001110
add a comment |Â
up vote
32
down vote
up vote
32
down vote
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.
There is an overview of broken repositories in the Debian wiki.
answered May 2 '16 at 22:08
webwurst
1,2001110
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.
There is an overview of broken repositories in the Debian wiki.
answered May 2 '16 at 22:08
webwurst
1,2001110
answered May 2 '16 at 22:08
webwurst
1,2001110
answered May 2 '16 at 22:08
webwurst
1,2001110
answered May 2 '16 at 22:08
webwurst
1,2001110
1,2001110
add a comment |Â
add a comment |Â
up vote
17
down vote
As @chaskes says this is a problem with the repository not with your computer.
@webwurst has good links to the underlying problem. There's also a clarification about the signatures.
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256
digest-algo SHA256
to your ~/.gnupg/gpg.conf file.
Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
add a comment |Â
up vote
17
down vote
As @chaskes says this is a problem with the repository not with your computer.
@webwurst has good links to the underlying problem. There's also a clarification about the signatures.
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256
digest-algo SHA256
to your ~/.gnupg/gpg.conf file.
Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
add a comment |Â
up vote
17
down vote
up vote
17
down vote
As @chaskes says this is a problem with the repository not with your computer.
@webwurst has good links to the underlying problem. There's also a clarification about the signatures.
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256
digest-algo SHA256
to your ~/.gnupg/gpg.conf file.
Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
As @chaskes says this is a problem with the repository not with your computer.
@webwurst has good links to the underlying problem. There's also a clarification about the signatures.
If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1
After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.
These values go on the repository server in the gpg.conf which the repository is using.
The short hand is to append
cert-digest-algo SHA256
digest-algo SHA256
to your ~/.gnupg/gpg.conf file.
Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
edited Apr 21 '17 at 4:53
Anwar
54.8k20143249
54.8k20143249
answered May 23 '16 at 22:33
Tully
93387
answered May 23 '16 at 22:33
Tully
93387
answered May 23 '16 at 22:33
Tully
93387
93387
add a comment |Â
add a comment |Â
up vote
4
down vote
To avoid this error, you can remove the repository.
Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!
If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant
chromium.
This note was added by ByteCommander.
At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.
In there look for an entry like this one:
http://dl.google.com/linux/earth/deb/dists/stable/
and remove it.
Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.
It should stop showing that annoying error message every time you try to update your repositories now.
edited Apr 13 '17 at 12:23
Community♦
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
add a comment |Â
up vote
4
down vote
To avoid this error, you can remove the repository.
Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!
If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant
chromium.
This note was added by ByteCommander.
At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.
In there look for an entry like this one:
http://dl.google.com/linux/earth/deb/dists/stable/
and remove it.
Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.
It should stop showing that annoying error message every time you try to update your repositories now.
edited Apr 13 '17 at 12:23
Community♦
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
add a comment |Â
up vote
4
down vote
up vote
4
down vote
To avoid this error, you can remove the repository.
Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!
If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant
chromium.
This note was added by ByteCommander.
At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.
In there look for an entry like this one:
http://dl.google.com/linux/earth/deb/dists/stable/
and remove it.
Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.
It should stop showing that annoying error message every time you try to update your repositories now.
edited Apr 13 '17 at 12:23
Community♦
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
To avoid this error, you can remove the repository.
Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!
If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant
chromium.
This note was added by ByteCommander.
At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.
In there look for an entry like this one:
http://dl.google.com/linux/earth/deb/dists/stable/
and remove it.
Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.
It should stop showing that annoying error message every time you try to update your repositories now.
edited Apr 13 '17 at 12:23
Community♦
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
edited Apr 13 '17 at 12:23
Community♦
1
edited Apr 13 '17 at 12:23
Community♦
1
edited Apr 13 '17 at 12:23
Community♦
1
1
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
answered Jun 14 '16 at 8:50
Hayet Mahamud
1371412
1371412
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
add a comment |Â
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
11
11
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
This would also stop future updates to Google Chrome, which is probably not what the OP wants.
– edwinksl
Jun 14 '16 at 9:42
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
Note: The chrome ppa has now been fixed.
– starbeamrainbowlabs
Jul 19 '16 at 5:47
add a comment |Â
protected by Byte Commander Apr 24 '16 at 18:24
Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
2
Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu
– CodeHarmonics
Apr 22 '16 at 22:44
Not only with Google, I have the same problem with Samsung drivers and Virtualbox...
– ionreflex
Apr 24 '16 at 19:20
1
As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue.
– arielf
Apr 25 '16 at 1:58
Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository?
– orschiro
Apr 26 '16 at 5:28
@arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums.
– dlchang
Apr 26 '16 at 6:38