139

I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.

d@EliteBook:~/Downloads$ sudo apt-get update Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease Hit:2 http://dl.google.com/linux/chrome/deb stable Release Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB] Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease Fetched 247 kB in 0s (256 kB/s) Reading package lists... Done W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1) d@EliteBook:~/Downloads$

I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?

Improve this question
7
  • 2
    Having the exact same problem. I guess it can only be fixed on Google's side or maybe allow checking for updates in repositories with "weak security algorithms" but I don't know how and would likely be a security risk. As stated in this blog, the move was from upsource in Debian unstable and Canonical included it because: > Xenial (Ubuntu 16.04 LTS) will be supported for 5 years, and the landscape may change a lot in the next 5 years. By the way, there is a bug filed in Launchpad [here](bugs.launchpad.net/ubuntu Commented Apr 22, 2016 at 22:44
  • Not only with Google, I have the same problem with Samsung drivers and Virtualbox... Commented Apr 24, 2016 at 19:20
  • 1
    As a temporary workaround, for almost all intents and purposes, you may try and install the mostly identical chromium-browser. Since it comes from the Canonical repos, it shouldn't have this issue. Commented Apr 25, 2016 at 1:58
  • Where is the appropriate place to report this back to Google to fix the issue with their Google Chrome repository? Commented Apr 26, 2016 at 5:28
  • @arielf Ya, I ended up doing that while waiting for a fix from Google, as that seems to be the only thing that can be done from my searching around forums. Commented Apr 26, 2016 at 6:38

5 Answers 5

Reset to default
66

The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.

You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.

You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.

The newer sudo apt update (notice it's just apt) does provide feedback about the results.

By using apt, you will either see a message that 

All packages are up to date

or

The following packages will be upgraded:

Also see apt list --upgradeable.

Improve this answer
7
  • 1
    Oh, I didn't know about the newer sudo apt update, thank you I'll try that. And I guess I just thought it didn't work at all was cause the last lines were the Signature lines and it just stopped after that so I assumed it wasn't updating. So that is just a warning for that issue, but continues without interfering with other updates? Commented Apr 25, 2016 at 7:56
  • 1
    @dlchang That's correct. :) Commented Apr 25, 2016 at 15:13
  • Chrome is the IE of the next decade... anyway, this is not true about "All packages are up to date" with apt, I get the exact same warnings. Chrome has had so many issues like this in the last few months, its amazing linux users even use it (I have to for webdev, unfortunately). Commented May 18, 2016 at 15:21
  • 3
    @Todd You will still get the warnings as the google repository is still signed with an SHA1 key which is depreciated. The reason for this is because SHA1 has been found to have collisions that decreases it's effective strength weakening it's security to an unacceptable degree. It's the same reason why browsers including ironically chrome itself will complain about SSL certificates using SHA1. The effective strength is only around 2^60-2^70 operations or so now not good enough when considering a 20+ TFLOPS GPU compute machine is cheap enough. Commented May 24, 2016 at 2:48
  • apt does not work for me as you explain. It says 7 packages can be upgraded. Run 'apt list --upgradable' to see them. Commented Aug 18, 2016 at 5:20
35

Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March. Repositories missing these need to be fixed by their owners.

There is an overview of broken repositories in the Debian wiki.

Improve this answer
23

As @chaskes says this is a problem with the repository not with your computer.

@webwurst has good links to the underlying problem. There's also a clarification about the signatures.

If you are hosting a repository which is giving these errors. The solution is to change the default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1

After you fix this issue the next warning will be that the signature "uses weak digest algorithm (SHA1)" And to fix that you can set digest-algo to SHA256 as well.

These values go on the repository server in the gpg.conf which the repository is using.

The short hand is to append

cert-digest-algo SHA256 digest-algo SHA256

to your ~/.gnupg/gpg.conf file.

Our project has it ticketed here which should have an example of how to fix it for our deployment mechanism.

Improve this answer
4

To avoid this error, you can remove the repository.

Please note that removing the repository will prevent Chrome from getting any updates, including important security updates!
This will make your browser vulnerable to an increasing number of threats over time!

If you really want to entirely remove or disable the repository, you should consider uninstalling Chrome and moving on to a different browser, like its open-source variant chromium.

This note was added by ByteCommander.

At first search for Software and Updates in the Dash. Open it and switch to the Other Software tab.

In there look for an entry like this one:

http://dl.google.com/linux/earth/deb/dists/stable/

enter image description here

and remove it.

Finally go to the Authentication tab and you will find something mentioning "Google", remove that too.

It should stop showing that annoying error message every time you try to update your repositories now.

Improve this answer
2
  • 13
    This would also stop future updates to Google Chrome, which is probably not what the OP wants. Commented Jun 14, 2016 at 9:42
  • Note: The chrome ppa has now been fixed. Commented Jul 19, 2016 at 5:47
1

Ubuntu's apt package manager considers RSA keys smaller than 2048 bits (like rsa1024) insecure due to updated cryptographic policies.

Many PPAs are in the process of being updated to RSA 4096-bit keys by maintainers. If you trust the PPA, you can temporarily ignore the warning until it is fixed. No action is required from you in this case.

You can also suppress the warning while still using the PPA:

Open a terminal and create a configuration file:

sudo nano /etc/apt/apt.conf.d/99weakkey-warning

Add this line to allow rsa1024:

APT::Key::Assert-Pubkey-Algo ">=rsa1024";

Save and exit. Then, update apt:

sudo apt update

This lowers the security threshold temporarily. Revert the change once the key is upgraded by deleting the file:

sudo rm /etc/apt/apt.conf.d/99weakkey-warning
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.