Sonarr: Debian/Ubuntu repository is insufficiently signed by key (weak digest)

Created on 24 Mar 2016  Â·  6Comments  Â·  Source: Sonarr/Sonarr

Hello,

As the title says... The following is on the upcoming Ubuntu 16.04 (Xenial):

root@tv:/# cat /etc/apt/sources.list.d/sonarr.list
deb https://apt.sonarr.tv/ master main

root@tv:/# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys FDA5DFFC
Executing: /tmp/tmp.MoGauaMeNU/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
FDA5DFFC
gpg: requesting key FDA5DFFC from hkp server keyserver.ubuntu.com
gpg: key D9B78493: "NzbDrone [email protected]" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

root@tv:/# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
Get:2 http://archive.ubuntu.com/ubuntu xenial InRelease [116 kB]
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 https://apt.sonarr.tv master InRelease
Fetched 116 kB in 8s (14.3 kB/s)
Reading package lists... Done
W: gpgv:/var/lib/apt/lists/apt.sonarr.tv_dists_master_InRelease: The repository is insufficiently signed by key A236C58F409091A18ACA53CBEBFF6B99D9B78493 (weak digest)
root@tv:/#

linux high
Source
picture Eihrister

Most helpful comment

Unfortunately this is not something we can change without breaking the old package,
this is something we can change at the same time when we change the package name to sonarr.

picture kayone on 24 Mar 2016
👍2

All 6 comments

Unfortunately this is not something we can change without breaking the old package,
this is something we can change at the same time when we change the package name to sonarr.

kayone picture kayone on 24 Mar 2016
👍2

FYI I found this when researching fixing my repository. I was able to fix it only changing settings on the server: https://github.com/ros-infrastructure/buildfarm_deployment/issues/130 With no changes to the packages.

tfoote picture tfoote on 24 May 2016
👍1

That's a great find, I hope the Sonarr devs adopt it ASAP.

On 23 May 2016 at 23:23, Tully Foote [email protected] wrote:

FYI I found this when researching fixing my repository. I was able to fix
it only changing settings on the server:
ros-infrastructure/buildfarm_deployment#130
https://github.com/ros-infrastructure/buildfarm_deployment/issues/130
With no changes to the packages.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
https://github.com/Sonarr/Sonarr/issues/1202#issuecomment-221113935

frameset picture frameset on 24 May 2016
👍1

Thank you @kayone for making this a high priority. Adding my voice to express my interest in this being resolved as well.

Thanks for the great product!

  • [x] Subscribed to this!
kenetik picture kenetik on 2 Jun 2016

I wonder if there was any update for this, I still receive the warning on 16.04.

gurabli picture gurabli on 12 Jun 2016

Thanks everyone for the report, we now sign the repo with SHA256, please let us know if you still see the warning.

kayone picture kayone on 14 Jun 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mommalongnips picture mommalongnips  Â·  3Comments
markus101 picture markus101  Â·  3Comments
mabasic picture mabasic  Â·  3Comments
markus101 picture markus101  Â·  4Comments
leftl picture leftl  Â·  3Comments