Google's certificates insufficient

[sgosnell]

I have some Google repositories in my sources.list.d directory, as well as Dropbox and a few others. I run Chrome browser and Google music manager, Dropbox, etc, and they have their own repositories for updates. Debian has a lot of packages, but not everything. Lately, when running an update, I get interesting results.

Code: Select all

Reading package lists... Done
W: gpgv:/var/lib/apt/lists/linux.dropbox.com_debian_dists_jessie_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_data_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_sid_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

I'm not sure exactly what happened with Debian's certificate handling, I don't keep up with Debian mailing lists, but something has certainly hit the fan. It's not the end of the world yet, but it's a little annoying. Anybody have any insight into this?

[reinob]

I have some Google repositories in my sources.list.d directory, as well as Dropbox and a few others. I run Chrome browser and Google music manager, Dropbox, etc, and they have their own repositories for updates. Debian has a lot of packages, but not everything. Lately, when running an update, I get interesting results.

Code: Select all

Reading package lists... Done
W: gpgv:/var/lib/apt/lists/linux.dropbox.com_debian_dists_jessie_Release.gpg: The repository is insufficiently signed by key 1C61A2656FB57B7E4DE0F4C1FC918B335044912E (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_data_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/masi.vuse.vanderbilt.edu_neurodebian_dists_sid_InRelease: The repository is insufficiently signed by key DD95CC430502E37EF840ACEEA5D32F012649A5A9 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome/deb stable InRelease' doesn't support architecture 'i386'
W: gpgv:/var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)
W: Failed to fetch http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

I'm not sure exactly what happened with Debian's certificate handling, I don't keep up with Debian mailing lists, but something has certainly hit the fan. It's not the end of the world yet, but it's a little annoying. Anybody have any insight into this?

Yup. apt/apt-get now considers SHA-1 to be deprecated, and informs you of that. Nothing to worry about (for now). This is to encourage repository maintainers to upgrade.

[Innovate]

Hmm? Debian Jessie as well?
I was thought it affect just Stretch Testing, Sid channel.

https://wiki.debian.org/Teams/Apt/Sha1Removal

Seems Ubuntu based affect as well.
https://bugs.launchpad.net/ubuntu/+sour ... ug/1558331

But Good News moment ago. Today they've finally fixed the gpg bug that disappeared whole from software-properties-gtk
Which affected more than 3 weeks. Now they're all finally appeared back on my Testing channel.

[sgosnell]

What does "Stretch Testing, Sid channel" mean? You should be running either Testing or Sid, not both. Mixing them will bork your system.

[Innovate]

What does "Stretch Testing, Sid channel" mean? You should be running either Testing or Sid, not both. Mixing them will bork your system.

What are you talking about?

I'm run Testing on pc.
& other one SID on laptop separately.
Talking both does that always mean I've to use the same partition?