Owncloud Ubuntu repository weak encryption

nspeaks · September 24, 2016, 6:32am

While running apt-get update command, I got the following notice

W: http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.gpg: Signature by key DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B uses weak digest algorithm (SHA1)

Steps to reproduce

Make sure owncloud repository is added in your sources.
Run sudo apt-get update

Expected behaviour
The update should give no notice whatsoever.

Actual behaviour
Get the above error notice.

Server configuration
Operating system: Ubuntu 16.04
Web server: Apache
Database: MySQL
PHP version: 7.0
ownCloud version (see ownCloud admin page): 9.1.1
Updated from an older ownCloud or fresh install: 9.1.0

tflidd · September 24, 2016, 7:19am

There is a longer issue about this on github:

github.com/owncloud/core

'apt-get update' complains about a weak digest

opened 10:36PM - 26 Mar 16 UTC

closed 11:00AM - 06 May 16 UTC

ooneed

packaging

recently debian updated the apt\* tools to warn about repositories using SHA1. Y…ou should update your gpg settings to use a newer hash function (see e.g. https://askubuntu.com/questions/750133/how-can-i-fix-w-the-repository-is-insufficiently-signed-by-the-key, and https://wiki.debian.org/Teams/Apt/Sha1Removal) so that the owncloud installation will work with future debian stable systems. ### Steps to reproduce 1. on a debian testing/unstable system, have an entry like the following in /etc/apt/sources.list: deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ / 2. run 'apt-get update' ### Expected behaviour apt-get should download the files from the repository without complaining ### Actual behaviour apt-get gives a warning: W: gpgv:/var/lib/apt/lists/download.owncloud.org_download_repositories_stable_Debian%5f8.0_Release.gpg: The repository is insufficiently signed by key BCECA90325B072AB1245F739AB7C32C35180350A (weak digest)