Client: Repo: Weak digest & Invalid signatures

We currently have 1024DSA which is weak. Ubuntu 16.04 wants to see at least 2048 RSA.

osc signkey --create isv:owncloud
can be used to create a new key. Default key with recent osc is RSA 2048.
This will be a new key, all users will need to accept the new key when we roll that out.

Expired key may be a different issue. Investigating.

Hi,
Same problem of key expired with linux mint 17.3 (ubuntu 14.04 based)
Error is (in french)

W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : http://download.opensuse.org  Release : Les signatures suivantes ne sont pas valables : KEYEXPIRED 1466936818

W: Impossible de récupérer http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release

Expired key may be a different issue. Investigating.

@jnweiger : I found out how to fix the expired key. You can update the keys, first check the expired keys:

apt-key list | grep expired
pub   1024D/BA684223 2012-02-08 [expired: 2016-06-26]

Now update the key from a keyserver:
apt-key adv --recv-keys --keyserver keys.gnupg.net BA684223

Then it downloads new signatures and the expired-key warning disappears.

Two things to solve:

• Update Release.key on http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key
• weak digest algorithm warning (SHA1)

@tflidd osc signkeys --create isv:owncloud should do that.. it is up to the obs to create proper release keys..

We can do that ourselves. question: will this result in key change warnings, vendor change errors or other nasty issues, when we do that?

Regarding the expired aspect: The key was already extended in 2015.
wget -nv httpse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release.key -O - | gpg -vv |& grep -B5 expire

:signature packet: algo 17, keyid 977C43A8BA684223
    version 4, created 1423491668, md5len 0, sigclass 0x13
    digest algo 2, begin of digest 29 39
    hashed subpkt 2 len 4 (sig created 2015-02-09)
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 9 len 4 (key expires after 5y72d4h15m)

2015-02-09 + 5y72d4h15m would be very far in the future. Compare apt-key:

apt-key list | grep BA684223

pub   1024D/BA684223 2012-02-08 [expires: 2017-04-19]

My understanding now is:

• signature packets describe if and how a key is valid.
• This key was created 2012, It has a signature packet that was created
  2015 and has duration of 5y.
  
  
  
  • apt-key uses key generation timestamp applies the duration of the signature packet to compute a a 2017 expire date.
  
  
  • (I would have naively applied the duration of the signature packet to the creation timestamp of the signature packet and get a 2020 expire date... probably wrong)
  
  
  • Extending a key in obs is one thing. Sending it to keys.gnupg.net should also be done, to update outdated copies.
  
  

Expiration seems to be a non-isuse here. Removing the misleading "(Key expired)" from the subject.

@crrodriguez Please evaluate downsides of changing the key and move forward here.
I suggest the following procedure:

• announce scheduled key change via central.owncloud.org (and mailing lists??)
• wait a day or two
• create: osc signkey --create isv:ownCloud
• test: osc signkey isv:ownCloud | apt-key add -; apt-key list | grep -B1 isv:ownCloud
• publish: osc signkey isv:ownCloud | gpg --import; gpg --keyserver keys.gnupg.net --send-key NEW_KEY_ID
• notify users via central.owncloud.org about the new key.

@crrodriguez ping?

@jnweiger My take is.. we do not create new signing keys we just --extend them.. we need to do this only every few years or when something goes horrible wrong.
That said..I have no problem with your suggested course of action. however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing..

@jnweiger @crrodriguez

however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing.

That might help to avoid recurring bugreports like https://github.com/owncloud/client/issues/5156 where people missed that they need to renew keys manually.

@crrodriguez we have two issues mixed up here. One is expiry, the other is weakness.
Extending a key can fix expiry, but afik it cannot make a weak key stronger. My knowledge about these keys is limited, thus I hesitate replacing the key in hope someone can point out how to make a key stronger, -- possibly via subkeys or similar magic.

What is the effort to create an owncloud-archive-keyring?

Hello all,
I am also seeing two issues in one here: one for the expired and one for the weak algorithm ... :( As I am getting the "weak algorithm" message for Debian Testing as well (and it does not matter, if I use the stable or testing repo for the desktop client), I would like to see this issue to be fixed in the near future to get rid of the message. The server issue with the weak algorithm was fixed months ago ... ;)
Sorry for the inconvenience
Thomas.

@thackert Expired keys can be easily solved if you re-import the already renewed keys from https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client

This is something you need to actively do until something like suggested here is provided: https://github.com/owncloud/client/issues/5055#issuecomment-245185205

@RealRancor It seems you either got me wrong or I have expressed my concern not clear enough ... :( Either way: I am seeing this "weak key" message on my system since a longer time, and I want to get it fixed, if possible asap ... ;) But in this bug report there are two different bugs: one for the expired key, one for the weak one (this was also mentioned by @jnweiger on July 13th and 8 days ago). And if you want to start nitpicking, it is also about Ubuntu (as mentioned in @tflidd 's first report) and Linux Mint (reported from @psyray on July 14th) and Debian (reported by me). The question for me now is: is this bug about the expired key (where you can use tflidd's instruction from his comment on August 16th to get a new key. But this would not solve the problem with the weak key warning from apt-get ... ( ) or about the weak key to sign the Debian (based) packages with a 1024 bit key instead of a 2048 one? What would be the correct way to handle this? Leave this bug open, but open one for the weak algorithm for all Debian based systems and make it dependent on this bug? Waiting until apt will no longer install any owncloud-client packages because of this weak key (though Julian K. wrote in his blog, that this should not be happen (see https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/) but what would happen, if the Debian people to change this in a couple of months / years)? Do you understand my concerns now?
Sorry for the inconvenience
Thomas.

@thackert Yes, the issue here is about "weak key/weak signature". Everything else like the expired key is unrelated to this issue and shouldn't be discussed in here.

If you want to express that you're affected by the "weak key/weak signature" issue you can just use the emoticon icon at the first post and use the thumbs up button. This avoids that the issue gets flooded with comments as the issue is known and just needs to be fixed by some one who knows to fix it. :-)

@crrodriguez
I like the idea of having an owncloud-archive-keyring -- please prepare one. ( I am unclear if this package is then master for the keys and the build service gets them from there somehow, or vice versa. You may know better)

But it does not solve the current issue. We have to upgrade the encryption of an existing key. Nobody came up with a clever idea, (like e.g. adding a subkey - which _should_ be possible, as it works so nicely for extending an expired key ... ). The solution seems to be: discard the existing key and create a fresh one with stronger encryption.

@crrodriguez let's schedule this for Sunday night (2016-09-25): Kill the key of isv:ownCloud:desktop and create a fresh one, if nobody objects until then.

Reproducer Dockerfile for opensuse.org

FROM ubuntu:16.04
RUN apt-get -q -y update
RUN apt-get -q -y install wget
RUN wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/Release.key -O - | apt-key add -
RUN echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop//Ubuntu_16.04/ /' > /etc/apt/sources.list.d/owncloud-client.list
RUN apt-get -q -y update

Reproducer Dockerfile for owncloud.org

FROM ubuntu:16.04
RUN apt-get -q -y update
RUN apt-get -q -y install wget
RUN wget -nv  -nv https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key -O - | apt-key add -
RUN echo 'deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /' > /etc/apt/sources.list.d/owncloud-client.list
RUN apt-get -q -y update

(A debian:latest container would not show the error....)

Key publishing

The packages tab at https://owncloud.org/install/#tab-packages links to the key via https:

wget https://owncloud.org/wp-content/themes/owncloudorgnew/assets/files/obs-release-signing.gpg

should have the same key. (or keys?)

Your key is in isv:ownCloud, not in isv:ownCloud:desktop. Please do not create another key in desktop, it will just add more confusion...

You right. I meant isv:ownCloud, sorry for not double checking.

Who is in charge of this documentation?

It would be nice, to have a description of what (and how) to do from a user perspective, in both of the cases:

• First install on an ubuntu 16.04 Desktop (normal case)
• Fix the current problem (replace the key, remove the old key and install the new one or any other thing to do to leave it clean).

My remark is relevant only if a specific manipulation is required in the second case to leave everything shiny (ubuntu 16.04 installs are quite fresh, and users won't want to leave any useless keys on their system).

Moreover, thank you all for your Job (we never say it enough)!

@rloutrel The texts at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client are all autogenerated from build service templates e.g.
https://github.com/openSUSE/software-o-o/blob/master/app/views/download/package.erb
Please file a separate issue to improve these. Thanks!

isv:ownCloud now has a new key:

pub   2048R/557BEFF9 2016-09-25 [verfällt: 2018-12-04]
uid                  isv:ownCloud OBS Project <isv:[email protected]>

This key obsoletes '1024D/BA684223 2012-02-08' of the same uid.
That '2048R' prefix looks stronger. Let's hope that is what Ubuntu-16.04 wants.
Hmm, maybe we now need to rebuild everything, so that the new key is used?

https://software.opensuse.org/download.html?project=isv%3AownCloud%3Acommunity%3Anightly&package=owncloud-client shows the new key already.

Works wonderfully on Ubuntu 16.10. Finally!

And what about the key here? https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/

@navjotjsingh Patience please...

maybe we also have a new key at our owncloud.org mirrors.. See also owncloud/client#5055 -- If these two keys can be made identical it would be great!

https://github.com/owncloud/owncloud.org/issues/272#issuecomment-249455705

Today it seems the „weak“ message is gone @16.04
→ Thanks a lot! :+1:

(BTW: I use the repo http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ …)

Thanks!

I had to remove the old one (suggestion done to update the documentation)

Manipulation to remove the old one (for the repository ubuntu_16.04):
sudo apt-key del FC91AE7E

and add the new one (like already documented in the official documentation)

I have made an attempt to restore the signing key of our internal obs for the ce project tree.
Now we have

curl http://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key | gpg -
 pub  2048R/479BC94B 2013-08-26 ownCloud build service 

That 2048R looks good to me, but Debian still complains. :-(

Hi,

I am using:
http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/

Removed the old keys using _sudo apt-key del_ and got the new key using:

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
apt-key add - < Release.key

My owncloud.list has:
deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /

When I try to get update. Still error:

Ign:6 http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04  InRelease
Hit:7 http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04  Release
Fetched 187 kB in 0s (441 kB/s)
Reading package lists... Done
W: http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.gpg: Signature by key DDA2C105C4B73A6649AD2BBD47AE7F72479BC94B uses weak digest algorithm (SHA1)

apt-key list:

pub   2048R/479BC94B 2013-08-26 [expires: 2018-08-25]
uid                  ownCloud build service <obsrun@localhost>
sub   2048R/8DE365D9 2013-08-26 [expires: 2018-08-25]
sub   2048D/86EB6027 2013-08-26 [expires: 2018-08-25]
sub   2048g/1722EF54 2013-08-26 [expires: 2018-08-25]

Anyone has a idea how to fix this?

@joaonl
The key from your list does not seem to be the good one. Yours seems to be a locally generated (probably from a testing repository -the localhost seems strange to me-?)
Can you check if the new one is there:
apt-key list | grep -B 1 "isv:ownCloud OBS Project"

The one I have imported is so:

pub   2048R/557BEFF9 2016-09-25 [expire : 2018-12-04]
uid                  isv:ownCloud OBS Project <isv:[email protected]>

apt-key del 479BC94B
wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key
sudo apt-key add - < Release.key
rm Release.key

Confirmed to be working/fixed here on two different desktop systems running Debian.

@joaonl
Indeed you are not using the good repository:

deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ /

Repository found from the official repository documentation (https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client linked from the official project (https://owncloud.org/install/#install-clients)

@rloutrel Thank you very much for the quick help. All is working again on 14 VPS
I still don't understand how the wrong repository was added to the list...

Thanks again!

@joaonl : I came lately to owncloud, so I do not know the history, but I guess they change the repository (between 15.10 and 16.04). I assume, that you have an old installation, that you upgraded to ubuntu 16.04 (and not a fresh install).
So you still have the original repository and the keyfix seems to work only for the new repository (the opensuse solution).

Out of topic: I advise you to check your other /etc/apt/source.list and source.list.d/* files. Maybe some other repositories are not the fresh one anymore and you do not get the new versions...

Still receiving the same error as the OP in Issue 5067:
W: GPG-Fehler: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04 Release: Die folgenden Signaturen konnten nicht überprüft werden, weil ihr öffentlicher Schlüssel nicht verfügbar ist: NO_PUBKEY 4ABE1AC7557BEFF9 W: The repository 'http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04 Release' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.

What I did so far:

1. removed any item related to ownCloud in /etc/apt/...
2. removed the apt-key 4ABE1AC7557BEFF9
3. go through this procedure: sudo sh -c "echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud-client.list" sudo apt-get update sudo apt-get install owncloud-client

No luck so far. Any idea how to get this solved?

@treuss

Can you please show the output of: apt-key list?

Edit: Run below:

sudo wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key
rm Release.key

No luck so far. Any idea how to get this solved?

You're missing the step to import the key. Your sudo -sh line won't do that automatically for you.

That's interesting, @joaonl : There's no ownCloud key in the output of apt-key list.

@treuss

Please see the edited part on my previous comment ;-)

And also:

You're missing the step to import the key. Your sudo -sh line won't do that automatically for you.

If people not following the steps explained at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client they shouldn't wonder why they are getting such results. :-)

Thanks @joaonl!
I tried your suggestion several times, but it seems that the Release.key is not bein accepted. Directly after adding it, I get a concise listing of the installed keys. There's nothing like isv:ownCloud or similar.

@treuss For setup help i suggest to jump over to https://central.owncloud.org/. It is not the goal to give setup specific support in an issue tracker.

If you know the missing key ID, you can also try to get it from a keyserver:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 4ABE1AC7557BEFF9

I think its time to lock this issue to collaborators. Its just one huge mess (43+ comments) with tons of various issues mixed in one.

@RealRancor thanks for your help.

Bad reproducer Dockerfile:

FROM centos:centos7
RUN yum install -y wget
RUN rpm --import http://download.opensuse.org/repositories/isv:/ownCloud:/desktop//CentOS_7/repodata/repomd.xml.key
RUN wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7/isv:ownCloud:desktop.repo -O /etc/yum.repos.d/isv:ownCloud:desktop.repo
RUN yum clean all && yum install -y owncloud-client

still fails. Error messages are:
warning: /var/cache/yum/x86_64/7/isv_ownCloud_desktop/packages/opt-libqt5keychain1-0.7.0-9.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID ba684223: NOKEY
Retrieving key from http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7//repodata/repomd.xml.key

The GPG keys listed for the "The ownCloud Desktop Client (CentOS_7)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

I've triggered a rebuild of opt-libqt5keychain1-0.7.0-9.1 and now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm -- I assume rebuilding all is to be done.

now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm

sounds like a victory! 🎉

https://github.com/owncloud/enterprise/issues/1617 should have fixed this problem

Confirmed! The above CentOS7 reproducer is now silent.
Thank you!

Hi, cant access owncloud/enterprise#1617 - Where is this fixed/what steps need to be taken?

@shpetros Just re-import the key as shown at the desktop client install page. If you need further help please see https://owncloud.org/support/ where to get such help.

Yiipiieaaayeah!!! :smiley:

Maybe this helps the guys who followed exactly the ownCloud installation steps from Open Suse, but who had, like myself, still the "packages cannot be authenticated" error. ;)

I'm no certificate specialist, but after having read through the whole thread and tried over and over again the specified installation procedure, I began to delete the "right" key from my apt-key list, but instead of re-importing the right one right away, I checked the list again... and what did I see? Another "old" key appeared in the listing which wasn't there before!

So, this was the method to solve my issue:

1° Uninstall owncloud-client completely: sudo apt-get remove owncloud-client
2° Browse Key list: apt-key list
3° Delete owncloud key: sudo apt-key del 557BEFF9
4° Goto 2° and repeat steps until no ownCloud key is left over
5° Import official Release.key following SUSE instructions:
$ wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key (mind the Release.key outtput name here, because if you already have this file in your folder, it will generate a Release.key.2 and so on and so forth)
$ sudo apt-key add - < Release.key && sudo rm Release.key
6° Install ownCloud according SUSE instructions: sudo apt-get update && sudo apt-get install owncloud-client

Et voilà! :smiley:

@rloutrel: Thanks for pointing to the Key deletion!

Greetz

OS: Ubuntu 16.04 LTS 64 bits

I did all of the recommended fixes and I am still getting the error on Ubuntu 16.04! The key is there and valid, but the packages till can not be authenticated.

Not to mention, that my keychain is still not detected, on a fresh install, which was the reason to migrate to the open suse repo in the first place. Classic owncloud!

@FlorianFranzen The keys are valid and known to work for a wide range of users. So either you're importing the wrong key, you're missing a step or something else is broken in you're environment.

Please note that this is a bugtracker and no support channel. Its the best to jump over to a forums dedicated to your Distro where they might be able to help you sorting this out.

@RealRancor: Challenge accepted. Let's turn this into a real bug report.

This my apt key and source setup:

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   2048R/557BEFF9 2016-09-25 [expires: 2018-12-04]
uid                  isv:ownCloud OBS Project <isv:[email protected]>

$ cat /etc/apt/sources.list.d/owncloud-client.list
deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ /

My apt cache is up to date:

$ sudo apt-get update
Ign:1 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                                                
Hit:3 http://de.archive.ubuntu.com/ubuntu xenial InRelease                                                                                       
Hit:4 http://ppa.launchpad.net/seafile/seafile-client/ubuntu xenial InRelease                                                                                               
Hit:7 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release                                    
Get:8 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release.gpg [481 B]  
Hit:9 http://de.archive.ubuntu.com/ubuntu xenial-updates InRelease                                                                         
Hit:11 http://de.archive.ubuntu.com/ubuntu xenial-backports InRelease                                    
Fetched 481 B in 4s (115 B/s) 
Reading package lists... Done

And this is what happens when I try to install the owncloud-client:

sudo apt-get install owncloud-client
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic linux-image-4.4.0-38-generic linux-image-extra-4.4.0-38-generic linux-signed-image-4.4.0-38-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client-l10n
The following NEW packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client owncloud-client-l10n
0 upgraded, 4 newly installed, 0 to remove and 6 not upgraded.
Need to get 325 kB/1.713 kB of archives.
After this operation, 6.627 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
  libqt5keychain1 libowncloudsync0 owncloud-client-l10n owncloud-client
Install these packages without verification? [y/N] 
E: Some packages could not be authenticated

So it seems like no matter if I follow the official instructions or any of the instructions here, I run into a problem.

Weirdly the Release file is signed properly if I check it by hand:

$ gpg2 --keyserver keyserver.ubuntu.com --recv-keys 4ABE1AC7557BEFF9
...
$ gpg2 --verify Release.gpg Release
gpg: Signature made Mi 12 Okt 2016 04:59:40 CEST using RSA key ID 557BEFF9
gpg: Good signature from "isv:ownCloud OBS Project <isv:[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9

Also, I did a quick check of some of the checksum (Package, Package.gz and the deb itself) and they all check out.

I guess there is an important step missing to get apt back on track once you run into this problem.

@FlorianFranzen As explained this is a bugtracker, no support channel. The initial issue here is closed/solved as the new keys with a proper signature were deployed.

@RealRancor The issue described here is not fixed and can still linger if the incorrect Release file was downloaded before. I think this is highly relevant.

Back on topic: The problem is that the Release file does not look changed to apt and therefore is not updated locally. This is either a bug in apt or more likely a bug in the way openSUSE or one of their German mirrors set up their package server or HTML caching.

I was able to fix it by removing the package source, followed by running apt-get update. After adding the source again, everything installed fine. Weirdly just running apt-get clean instead, which I thought does the same, did not fix my issue.

The issue described here is not fixed

It really shouldn't be hard to understand that the issue originally reported here IS fixed. To sum-up that you can understand that:

1. The bugreport original reported here was about a weak signature used in the keys
2. The keys where replaced by new keys which are using now a stronger signing algorithm
3. The original issue is closed.

Everything else doesn't belong in here. @jnweiger @crrodriguez Please lock here to avoid that this issue gets longer and longer where the initial issue is already solved. People are mixing too many issues in here.

@RealRancor The title is "Weak digest & Invalid signatures". Enough said.

Yeah, and these are solved as already explained twice.

Weak digest: Key was updated with a new signature algorithm.
Invalid signature: Key was expired for the OP and was also updated (Which btw. even doesn't belong into this issue in the first place).

It might help to read (and understand) the actual report and not only the title.

If you think there are any additional issues which needs to be fixed create a new bugreport.

@FlorianFranzen @RealRancor I created #5287 to track the WARNING: The following packages cannot be authenticated! issue.