INTERACT FORUM

More => Old Versions => JRiver Media Center 21 for Linux => Topic started by: Awesome Donkey on March 23, 2016, 10:46:00 am

Title: The repository is insufficiently signed by key (weak digest)
Post by: Awesome Donkey on March 23, 2016, 10:46:00 am

Adding the GPG key and repository in Ubuntu 16.04 and updating the package list results in an error...

Code: [Select]

W: gpgv:/var/lib/apt/lists/dist.jriver.com_latest_mediacenter_dists_jessie_InRelease: The repository is insufficiently signed by key AFCABAC2C6F16C0E1F2D9707C30B25C6077765D5 (weak digest)
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1558331
https://wiki.debian.org/Teams/Apt/Sha1Removal

This is likely because of the depreciation of SHA-1 and the GPG key appears to only be SHA-1 and it'll require SHA-256. I'm not sure if the packages are SHA-1 signed or not, if they are they'll need to be SHA-256 signed too. It was bound to happen sooner or later. Even Google's Chrome repository is half-broken right now because of this.

Manually updating via dpkg still works, but right now the repository is half-broken on Ubuntu 16.04 because of this.

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: geier22 on March 31, 2016, 01:04:07 am

I got the same error in Debian stretch:

Code: [Select]

W: gpgv:/var/lib/apt/lists/dist.jriver.com_latest_mediacenter_dists_jessie_InRelease: The repository is insufficiently signed by key AFCABAC2C6F16C0E1F2D9707C30B25C6077765D5 (weak digest)


Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: bob on March 31, 2016, 04:58:40 pm

Sigh.

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: Awesome Donkey on March 31, 2016, 05:12:48 pm

Quote from: bob on March 31, 2016, 04:58:40 pm

Sigh.

That's exactly what I thought the response to be. ;)

It's a bummer though that they're starting to enforce it.

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: Hendrik on April 01, 2016, 06:11:39 am

Quote from: Awesome Donkey on March 31, 2016, 05:12:48 pm

It's a bummer though that they're starting to enforce it.

Did it even warn before, or did it really go from nothing to broken?

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: Awesome Donkey on April 01, 2016, 07:29:04 am

Nothing to broken.

Ubuntu 15.10 works fine, whereas upgrading to Ubuntu 16.04 LTS was broken. It surprised me too, but when I did some searching and found that it's affecting Chrome's repo too.

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: Awesome Donkey on April 01, 2016, 08:06:30 am

It was due to an update to APT.

https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: bob on April 05, 2016, 12:57:11 pm

That is just a warning though. It still installs MC properly (I tried from a fresh 16.04 AMD64 install).

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: Awesome Donkey on April 29, 2016, 09:26:07 pm

Heads up Mint users, it looks like the APT update is pushed out to Linux Mint 17.x, so expect seeing this error when updating!

Title: Re: The repository is insufficiently signed by key (weak digest)
Post by: astromo on April 29, 2016, 10:03:13 pm

Quote from: bob on April 05, 2016, 12:57:11 pm

That is just a warning though. It still installs MC properly (I tried from a fresh 16.04 AMD64 install).

I concur. Did the same to QNAP VM runing Ubuntu 16.04 with the AMD64. Saw the warning but the install completed without issue and MC fired up and loaded the registration file successfully.

It would appear that the term "error" in this context is a bit strong unless there's contrary experience to hand.