[MXS-1394] Use new hash algorithm to sign Ubuntu/Debian repositories Created: 2017-09-06  Updated: 2020-08-25  Resolved: 2017-11-21

Status: Closed
Project: MariaDB MaxScale
Component/s: build
Affects Version/s: None
Fix Version/s: 2.1.10, 2.2.1

Type: Task Priority: Major
Reporter: Kolbe Kegel (Inactive) Assignee: Timofey Turenko
Resolution: Fixed Votes: 0
Labels: None

Sprint: 2017-44, 2017-45

 Description   

Ubuntu xenial and Debian stretch expect a stronger signing key for apt repositories:

W: GPG error: http://downloads.mariadb.com/MaxScale/2.1/debian stretch Release: The following signatures were invalid: 13CFDE6DD9EE9784F41AF0F670E4618A8167EE24
W: The repository 'http://downloads.mariadb.com/MaxScale/2.1/debian stretch Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

See https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/ for more information.

This should be taken care of ASAP, for the next minor release(s) of MaxScale; please don't wait for the next major release.

 Comments   
Comment by Kolbe Kegel (Inactive) [ 2017-09-06 ]

Oops, this is not about using a new key, rather it's about using a newer hash algorithm to sign the repositories. I think this was enough to get reprepro to use the correct hashing algorithm:

$ cat >> ~/.gnupg/gpg.conf << EOF
 
# Prefer better digests for signing.
 
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
 
EOF

If you're using something other than reprepro, you might need to do something else ...

I tested the repository generated this way on Debian 7 (wheezy) as well as Debian 9 (stretch), so it works even with older OSs.

Generated at Thu Feb 08 04:06:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.