How can I fix "W: <...> The repository is insufficiently signed by the key <...> (weak digest)" in my private repository?

I maintain a series of private repositories. The gpg keys used to sign the repo were made with "Key-Type: RSA" and "Key-Length: 4096". The version of GPG used to generate the keys is 1.4.16 on Ubuntu 14.04. The machine that complains has gpg 1.4.20 (on a beta of 16.04).

How can I fix "W: <...> The repository is insufficiently signed by the key <...> (weak digest)" in my private repository?

I'll admit that I don't konw too much about encryption, but I would have thought that 4096-length RSA key would have been sufficient.


Solution 1:

The warning message is not about the encryption algorithm (4k RSA keys are considered totally fine and best practice right now). The digest algorithm is something else though: the hashing algorithm applied on the message body (in your case, the packages or package lists) which are then signed. GnuPG has rather conservative defaults to stay compatible, but those are slowly outpaced by progresses made in cryptanalysis.

You do not have to create a new key, but simply change the settings for GnuPG. The proposals by the Debian-administrator blog are still fine and help you setting reasonable defaults which are rather a little bit overcautious:

  1. Set up the preferences to be used by GnuPG (for signing messages, encrypting to others, ...):

    cat >>~/.gnupg/gpg.conf <<EOF
    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    EOF
    
  2. Setting preferred algorithms in your key to be used by others (at the same time adds a new self-signature with the updated settings from #1 above):

    $ gpg --edit-key $KEYID
    Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
    Command> save
    

In future, digest algorithms considered secure should be chosen by GnuPG.