reprepro: Signature by key uses weak digest algorithm (SHA1)

I'm hosting some internal repositories using reprepro.

After the upgrade of the clients to Ubuntu 16.04, apt-get update gives a warning "InRelease: Signature by key ... uses weak digest algorithm (SHA1)".

InRelease file starts like that:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So, reprepro has signed the InRelease file with a SHA1. How can I change it to SHA256 or SHA512?


You can fix this by modifying the ~/.gnupg/gpg.conf file of the user account which will be running reprepro and adding this line to the file digest-algo sha256. All signatures made with GPG by this user will use the SHA256 digest algorithm by default, thus, signatures made by reprepro will be sha256, as well.

If you want to learn more about GPG, APT, and Debian packages, I wrote a comprehensive blog post about signing and verifying Debian packages and APT repositories that may be helpful.