[SERVER-23397] SHA1 warning for Debian Release file signature Created: 29/Mar/16  Updated: 13/Aug/16  Resolved: 09/Aug/16

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: None
Fix Version/s: 3.3.11

Type: Bug Priority: Major - P3
Reporter: Kevin Locke Assignee: Sam Kleinman (Inactive)
Resolution: Done Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Follow instructions on https://docs.mongodb.org/master/tutorial/install-mongodb-on-debian/ Step 3, running apt-get update, produces the warning.

Sprint: Build 2016-08-26
Participants:

 Description   

The use of SHA1 for Debian repository Release files is deprecated with plans for removal and began causing the following warning in APT 1.2.7:

W: gpgv:/var/lib/apt/lists/repo.mongodb.org_apt_debian_dists_wheezy_mongodb-org_3.0_Release.gpg: The repository is insufficiently signed by key 492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10 (weak digest)

Although the issue only affects upcoming Debian and Ubuntu releases that are not officially supported, it would be great for users and developers on these systems if you would consider updating your repository to include stronger hashes.

Thanks,
Kevin



 Comments   
Comment by Sam Kleinman (Inactive) [ 09/Aug/16 ]

Sorry for the delay on updates here. After digging into this further, I've made a change to our signing infrastructure that will force us to use SHA256 hashes when we sign these artifacts.

The new signing protocol will impact the repositories as soon as new packages are published during the next release(s) across all branches. Expect to see this fixed during the release of 3.2.9 and 3.3.11.

Cheers,
sam

Comment by Max Polk [ 20/Jul/16 ]

It's officially broken now, this warning just went live: "I plan to enforce SHA2 for GPG signatures some time after the release of xenial, and definitely for Ubuntu 16.10, so around June-August (possibly during DebConf)."

Install mongodb-org 3.2.8 onto Linux Mint 18 Sarah, which is based on Ubuntu 16.04 LTS (Xenial Xerus), by creating /etc/apt/sources.list.d containing:

deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse

While trying to update the package list using apt update, I receive an error:

W: http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.2/Release.gpg: Signature by key 42F3E95A2C4F08279C4960ADD68FA50FEA312927 uses weak digest algorithm (SHA1)

Comment by Sorin Sbarnea [ 19/Jun/16 ]

Is anyone going to fix this issue? Because this was ignored for a long time, it means that you cannot really install mongodb on Ubuntu 16.04 LTS — which really sucks.

This is not the kind of problem that can be fixed with a PRs, and as far as I know there is no workaround.

Comment by Kevin Locke [ 29/Mar/16 ]

Good to know. Thanks for looking into the issue so quickly! Let me know if there's anything else I can do to assist or test.

Comment by Ernie Hershey [ 29/Mar/16 ]

I believe this will involve upgrading apt and/or dpkg tools on our Debian and Ubuntu builders and/or the repo publishing server.

From the same blog - https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/ -

Also note that SHA1 support is not dropped, we merely do not consider it trustworthy. This means that it feels like SHA1 support is dropped, because sources without SHA2 won’t work; but the SHA1 signatures will still be used in addition to the SHA2 ones, so there’s no point removing them (same for MD5Sum fields).

Generated at Thu Feb 08 04:03:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.