reprepro: Signature by key uses weak digest algorithm (SHA1)
I'm hosting some internal repositories using reprepro.
After the upgrade of the clients to Ubuntu 16.04, apt-get update
gives a warning "InRelease: Signature by key ... uses weak digest algorithm (SHA1)".
InRelease file starts like that:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So, reprepro has signed the InRelease file with a SHA1. How can I change it to SHA256 or SHA512?
You can fix this by modifying the ~/.gnupg/gpg.conf
file of the user account which will be running reprepro
and adding this line to the file digest-algo sha256
. All signatures made with GPG by this user will use the SHA256 digest algorithm by default, thus, signatures made by reprepro
will be sha256, as well.
If you want to learn more about GPG, APT, and Debian packages, I wrote a comprehensive blog post about signing and verifying Debian packages and APT repositories that may be helpful.