[Aptitude-devel] Bug#877948: aptitude: false error: "The following signatures were invalid" (gpg con good)
abe at debian.org
Sun Oct 8 11:38:13 UTC 2017
David Kalnischkies schrieb am Sun, Oct 08, 2017 at 12:24:34PM +0200:
> On Sat, Oct 07, 2017 at 05:12:24PM +0200, Anonymous wrote:
> > There are two repositories which are blocked from "aptitude update" on
> > the basis of "invalid signature", when in fact gpg reports the
> > signatures are valid.
> The signature is valid for gpg as it has a different interpretation of what it
> considers valid (in the version you are using). The signatures are based on the
> SHA1 algorithm which is considered weak nowadays – that might still be good
> enough for a signature on an email (depending on your requirements), but the apt
> team decided that it isn't enough to ensure the security of your system.
Thanks for taking care of this bug report so quickly.
Either SHA1 or too short keys were my suspicion last night, too, but I
was too tired to properly check that suspicion before going to bed.
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the Aptitude-devel