8

I publish a Debian repository. It was signed with a 4096-bit GPG key, and has been merrily in use from Debian 7 and Debian 8 systems for some time. Recently, one of my users reported that Debian 9 was having problems with it. Specifically, apt-get update was yielding: 

Reading package lists... Done
   W: GPG error: http://Debian-repository.JdeBP.info. stable InRelease: The following signatures were invalid: A71733F3CEBD655CB25A0DDCE1E3A497555CE68F
   W: The repository 'http://Debian-repository.JdeBP.info. stable InRelease' is not signed.

Note that unlike the people at "Repo APT secure - apt-get update GPG signature were invalid" and "Frustrated with aptly and GPG signing" I am not using aptly. So clearly I am not suffering from an aptly bug of any kind. (-:

So what is the problem?

Stephen Kitt
  • 434,908
JdeBP
  • 68,745
  • Note that that's a different error message, asks what the end user can do rather than looking at things from the repository publisher's perspective, and that that question is from March 2016 when the change discussed here happened to APT in November 2016. – JdeBP Aug 18 '17 at 22:10
  • I agree the perspective is different. – Stephen Kitt Aug 19 '17 at 07:14

2 Answers2

9

The cause of the problem is that with no update to the Debian wiki or other similar doco, and pretty much only a couple of largely Ubuntu-related announcements on a non-Debian personal WWW site, support for keys that state a preference for SHA-1 encryption has been turned off in APT as of Debian 9. (Specifically, it was turned off in APT version 1.4~beta1, and Debian 9 has version 1.4.7.)

So a repository publisher needs to do two things:

  • Adjust the personal-digest-preferences and personal-cipher-preferences in $HOME/.gnupg/gpg.conf to eliminate SHA-1 from one's GPG preferences. This prevents the problem coming back with new keys.
  • Adjust the preferences that are contained in the current repository signing key to eliminate SHA-1 from there too. For that one needs to:
    • Run 
      gpg --edit-key "${key_fingerprint}"
      substituting the appropriate key fingerprint, then edit the key preferences with the pref and setpref commands, then save the key to the keyring.
    • Export the public key of the updated key from the keyring to a file.
    • Re-sign the repository with the modified signing key.
    • Publish the updated signing key's public key file.

Note that it is not necessary to generate a new signing key, and that the updated key with SHA-1 removed will continue to interoperate with the older Debian 8 APT.

Further reading

JdeBP
  • 68,745
4

As JdeBP already pointed out, as of Debian 9 apt no longer supports SHA-1, meaning the InRelease file needs to be created with SHA-256 instead (the same goes for Release.pg).

What fixed it for me was specifying -digest-algo SHA256 as a parameter to gpg, so the complete sequence would be:

  1. Create the package:

    dpkg-deb --build ${PACKAGE_NAME}-1.0/
sudo rm ${SOME_TEMP_PATH}/*
mv ${PACKAGE_NAME_name}-1.0.deb ${SOME_TEMP_PATH}/
dpkg-scanpackages ${SOME_TEMP_PATH} /dev/null | gzip -9c > ${SOME_TEMP_PATH}/Packages.gz
sudo rm ${PATH_TO_REPO_IN_WWW_SERVER}/*
sudo cp ${SOME_TEMP_PATH}/* ${PATH_TO_REPO_IN_WWW_SERVER}
cd ${PATH_TO_REPO_IN_WWW_SERVER}

  2. Sign it:

    apt-ftparchive --md5 --sha256 release .  > Release 
gpg --digest-algo SHA256 --armor --output Release.gpg --detach-sign Release
gpg --digest-algo SHA256 --clearsign --output InRelease Release

Signing could also be done from the temp folder and then copying to the web server folder the complete thing, or you might want to play around with paths, namely the "." used when calling apt-ftparchive, if you want to store your .debs in a separate tree.

perror
  • 3,239
  • 7
  • 33
  • 45
Ricardo Rodrigues
  • 41