How to fix apt: Signature by key uses weak digest algorithm (SHA1)?

I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.

d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release                     
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease              
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)                   
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by 
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
d@EliteBook:~/Downloads$

I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?

The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.

You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.

You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.

The newer sudo apt update (notice it's just apt) does provide feedback about the results.

By using apt, you will either see a message that

All packages are up to date

or

The following packages will be upgraded:

Also see apt list --upgradeable.

Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.

There is an overview of broken repositories in the Debian wiki.

As @chaskes says this is a problem with the repository not with your computer.

@webwurst has good links to the underlying problem. There's also a clarification about the signatures.

If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1

After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.

These values go on the repository server in the gpg.conf which the repository is using.

The short hand is to append

cert-digest-algo SHA256
digest-algo SHA256

to your ~/.gnupg/gpg.conf file.

Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.

To avoid this error, you can remove the repository.

Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!

If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant chromium.

_{This note was added by ByteCommander.}

At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.

In there look for an entry like this one:

http://dl.google.com/linux/earth/deb/dists/stable/

and remove it.

Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.

It should stop showing that annoying error message every time you try to update your repositories now.