[SERVER-23397] SHA1 warning for Debian Release file signature Created: 29/Mar/16 Updated: 13/Aug/16 Resolved: 09/Aug/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging |
| Affects Version/s: | None |
| Fix Version/s: | 3.3.11 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevin Locke | Assignee: | Sam Kleinman (Inactive) |
| Resolution: | Done | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Steps To Reproduce: | Follow instructions on https://docs.mongodb.org/master/tutorial/install-mongodb-on-debian/ Step 3, running apt-get update, produces the warning. |
| Sprint: | Build 2016-08-26 |
| Participants: |
| Description |
|
The use of SHA1 for Debian repository Release files is deprecated with plans for removal and began causing the following warning in APT 1.2.7:
Although the issue only affects upcoming Debian and Ubuntu releases that are not officially supported, it would be great for users and developers on these systems if you would consider updating your repository to include stronger hashes. Thanks, |
| Comments |
| Comment by Sam Kleinman (Inactive) [ 09/Aug/16 ] |
|
Sorry for the delay on updates here. After digging into this further, I've made a change to our signing infrastructure that will force us to use SHA256 hashes when we sign these artifacts. The new signing protocol will impact the repositories as soon as new packages are published during the next release(s) across all branches. Expect to see this fixed during the release of 3.2.9 and 3.3.11. Cheers, |
| Comment by Max Polk [ 20/Jul/16 ] |
|
It's officially broken now, this warning just went live: "I plan to enforce SHA2 for GPG signatures some time after the release of xenial, and definitely for Ubuntu 16.10, so around June-August (possibly during DebConf)." Install mongodb-org 3.2.8 onto Linux Mint 18 Sarah, which is based on Ubuntu 16.04 LTS (Xenial Xerus), by creating /etc/apt/sources.list.d containing: deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse While trying to update the package list using apt update, I receive an error: W: http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.2/Release.gpg: Signature by key 42F3E95A2C4F08279C4960ADD68FA50FEA312927 uses weak digest algorithm (SHA1) |
| Comment by Sorin Sbarnea [ 19/Jun/16 ] |
|
Is anyone going to fix this issue? Because this was ignored for a long time, it means that you cannot really install mongodb on Ubuntu 16.04 LTS — which really sucks. This is not the kind of problem that can be fixed with a PRs, and as far as I know there is no workaround. |
| Comment by Kevin Locke [ 29/Mar/16 ] |
|
Good to know. Thanks for looking into the issue so quickly! Let me know if there's anything else I can do to assist or test. |
| Comment by Ernie Hershey [ 29/Mar/16 ] |
|
I believe this will involve upgrading apt and/or dpkg tools on our Debian and Ubuntu builders and/or the repo publishing server. From the same blog - https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/ -
|