Elasticsearch: Apt-get (or dpkg) warns of weaks digest algorithm use by signature

@drewr presumably this applies to anything signed by our key. Any ideas here?

The release seems to be half-broken due to SHA1 removal by debian(apt) in newer OS versions. It has affected many repositories and they intend to shut off SHA1 completely on January 1, 2017.

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.
SHA1 support is not yet dropped, they merely do not consider it trustworthy.

Please check here for more info : https://wiki.debian.org/Teams/Apt/Sha1Removal

thanks for this info @girirajsharma, very helpful!

so this is the Release.gpg file, which is created by the deb-s3 tool on deployment... deb-s3 supports an option to add arbitrary GPG parameters.

However I have no idea, if that would affect older distributions and if this is the only issue or just masking another one with the package itself.

@clintongormley @drewr @rjernst @spinscale any news on this

this was fixed with the current release process by adding the following param to the deb-s3 upload command:

--gpg-options="--digest-algo SHA512"

I'm not sure how @rjernst is planning on uploading deb packages though

This is already handled in unified release, by passing those gpg options when creating the deb signatures.

Thanks @rjernst - closing

How do I fix the current warning that appears when I apt-get update ?
@ThomasdOtreppe @clintongormley @drewr @girirajsharma @jpountz @spinscale @rjernst @s1monw

I'm using Ubuntu 16.04

+1
I have the same problem, but with filebeat:
W: https://packages.elastic.co/beats/apt/dists/stable/Release.gpg: Signature by key 46095ACC8548582C1A2699A9D27D666CD88E42B4 uses weak digest algorithm (SHA1)

I just tested again right now (since there was a release recently) and the issue is still present.

In 16.04.1 same thing...

Please could you try this again - I've resigned the deb repository with SHA512

I am no longer getting this message on Ubuntu 16.04.1 for ElasticSearch.

Elasticsearch is fixed.

Logstash, Kibana and curator still have the issue (and I guess beats too but I haven't tested it). Should I open a bug in their respective repo?

please do

There's no need to file issues with the other projects, this is fixed in the unified release, which should be used for beta1.

@rjernst i was thinking about the existing repositories which are currently a problem with ubuntu 16

@clintongormley Just to let you know, I'm having this issue with repositories for older elasticsearch releases (specifically 1.7). Unfortunately I can't use a newer version at this time, so a fix for those repos would be very much appreciated.

It is still not fixed.

W: https://artifacts.elastic.co/packages/5.x-prerelease/apt/dists/stable/Release.gpg: Signature by key 46095ACC8548582C1A2699A9D27D666CD88E42B4 uses weak digest algorithm (SHA1)

It's fixed in our release process (for real now) and will be in the next release.

@rjernst I am getting the same error as @failedguidedog when attempting to install Elasticsearch 1.7 on Debian 9.

The following commands:

wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list
sudo apt-get update

Yield:

W: GPG error: http://packages.elastic.co/elasticsearch/1.7/debian stable Release: The following signatures were invalid: 46095ACC8548582C1A2699A9D27D666CD88E42B4
W: The repository 'http://packages.elastic.co/elasticsearch/1.7/debian stable Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

@jacksonrayhamilton This is a closed issue from over a year ago. Elasticsearch 1.7 was released ~2 years ago. Nothing has changed regarding the apt repository for it. I'm not sure what could be the matter, but nothing will be changed for an ancient release. You should upgrade to a recent release.

Also, please ask questions on our forum. We use github for feature requests and confirmed bug reports.

Sorry for reviving an old issue. Debian takes a while to do a major release, so these issues take a while to rear their head (it wasn't an issue in Debian 8 and Debian 9 was only released a few months ago).

Given that the setup guide is still publicly hosted at https://www.elastic.co/guide/en/elasticsearch/reference/1.7/setup-repositories.html and instructs this, I think this is still a current issue.

I understand if you disagree on the basis of not wanting to support old versions in any way at all. If that's the case, maybe those old docs should be removed or provide a disclaimer? Anyway, I'll proceed to explain how I think this could be fixed, in case you're amenable to my opinion.

I'm guessing this is related to the way that repository is signed. From this answer:

The cause of the problem is that . . . support for keys that state a preference for SHA-1 encryption has been turned off in APT as of Debian 9. . . .

So a repository publisher needs to do two things:

. . .

• Adjust the preferences _that are contained in the current repository signing key_ to eliminate SHA-1 from there too. For that one needs to:
  
  
  
  • Run

    gpg --edit-key "${key_fingerprint}"

    substituting the appropriate key fingerprint, then edit the key preferences with the pref and setpref commands, then save the key to the keyring.
  
  
  • Export the public key of the updated key from the keyring to a file.
  
  
  • Re-sign the repository with the modified signing key.
  
  
  • Publish the updated signing key's public key file.
  
  

I added emphasis to "Re-sign the repository with the modified signing key." I tried the latest instructions:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt-get update

And the key looks the same, and I got no warnings. So I'm guessing the newer repositories were re-signed with the modified signing key, but the older ones weren't. Would you be willing to check if the old ones aren't, and re-sign them to see if that fixes the issue?

The following workaround allows the install to pass:

echo "deb [trusted=yes] http://packages.elastic.co/elasticsearch/1.7/debian stable main" | sudo tee /etc/apt/sources.list.d/elasticsearch-1.7.list
sudo apt-get update

@sylvainbx unfortunately, that still doesn’t suppress the warning:

W: GPG error: http://packages.elastic.co/elasticsearch/1.7/debian stable Release: The following signatures were invalid: 46095ACC8548582C1A2699A9D27D666CD88E42B4

Maintainers, I see that my last post has 5 people agreeing with it. Idealistic as absolutely dropping support for old software may be, it may also be pragmatic to consider that it takes a long time for some companies to upgrade.

@jacksonrayhamilton I am sorry, but we are not going to make any changes here. End of life is end of life; the last 1.7 release (1.7.6) was on November 22, 2016, and we announced at that time that it would be the last release in the 1.7 series with it going end-of-life on January 16, 2017. The Debian packages can be downloaded from our downloads page to workaround this issue, but doing maintenance on the repository to avoid this issue is not something that we are going to do since it is end of life. I am sure that this is disappointing and that it seems unnecessarily strict but we draw a hard line to focus our capacity on maintaining and advancing our active versions.