Google's certificates insufficient

Here you can discuss every aspect of Debian. Note: not for support requests!

Google's certificates insufficient

Postby sgosnell » 2016-03-23 04:03

I have some Google repositories in my sources.list.d directory, as well as Dropbox and a few others. I run Chrome browser and Google music manager, Dropbox, etc, and they have their own repositories for updates. Debian has a lot of packages, but not everything. Lately, when running an update, I get interesting results.
Code: Select all
Reading package lists... Done
W: gpgv:/var/lib/apt/lists/linux.dropbox.com_debian_dists_jessie_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_data_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_sid_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.
I'm not sure exactly what happened with Debian's certificate handling, I don't keep up with Debian mailing lists, but something has certainly hit the fan. It's not the end of the world yet, but it's a little annoying. Anybody have any insight into this?
sgosnell
 
Posts: 794
Joined: 2011-03-14 01:49

Re: Google's certificates insufficient

Postby reinob » 2016-03-23 12:38

sgosnell wrote:I have some Google repositories in my sources.list.d directory, as well as Dropbox and a few others. I run Chrome browser and Google music manager, Dropbox, etc, and they have their own repositories for updates. Debian has a lot of packages, but not everything. Lately, when running an update, I get interesting results.
Code: Select all
Reading package lists... Done
W: gpgv:/var/lib/apt/lists/linux.dropbox.com_debian_dists_jessie_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_data_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_sid_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.
I'm not sure exactly what happened with Debian's certificate handling, I don't keep up with Debian mailing lists, but something has certainly hit the fan. It's not the end of the world yet, but it's a little annoying. Anybody have any insight into this?


Yup. apt/apt-get now considers SHA-1 to be deprecated, and informs you of that. Nothing to worry about (for now). This is to encourage repository maintainers to upgrade.
reinob
 
Posts: 816
Joined: 2014-06-30 11:42

Re: Google's certificates insufficient

Postby Innovate » 2016-04-05 12:15

Hmm? Debian Jessie as well?
I was thought it affect just Stretch Testing, Sid channel.

https://wiki.debian.org/Teams/Apt/Sha1Removal

Seems Ubuntu based affect as well.
https://bugs.launchpad.net/ubuntu/+sour ... ug/1558331

But Good News moment ago. Today they've finally fixed the gpg bug that disappeared whole from software-properties-gtk
Which affected more than 3 weeks. Now they're all finally appeared back on my Testing channel.
Innovate
 
Posts: 188
Joined: 2015-12-27 01:28
Location: /dev/urandom

Re: Google's certificates insufficient

Postby sgosnell » 2016-04-06 03:48

What does "Stretch Testing, Sid channel" mean? You should be running either Testing or Sid, not both. Mixing them will bork your system.
sgosnell
 
Posts: 794
Joined: 2011-03-14 01:49

Re: Google's certificates insufficient

Postby Innovate » 2016-04-06 18:55

sgosnell wrote:What does "Stretch Testing, Sid channel" mean? You should be running either Testing or Sid, not both. Mixing them will bork your system.

What are you talking about?

I'm run Testing on pc.
& other one SID on laptop separately.
Talking both does that always mean I've to use the same partition?
Innovate
 
Posts: 188
Joined: 2015-12-27 01:28
Location: /dev/urandom


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable