Announcement

Collapse
No announcement yet.

apt update warning - Signature uses weak digest algorithm (SHA1)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • apt update warning - Signature uses weak digest algorithm (SHA1)

    When I run "apt update" I currently get this warning with Ubuntu 16.04:

    W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)

    Can this be fixed?

  • #2
    Yes, this is something we'll need to implement, as the security standards are strengthened over the next year for various key signing of installers. It's on our to do list to tackle this before the SHA1 standard expires.
    Aaron P Scooter Software

    Comment


    • #3
      Is this really a security issue? I don't see how someone could exploit this.

      Comment


      • #4
        Someone could theoretically create an alternate installer that looks like it is signed properly using SHA1. There's a security consensus to move to alternate signing methods, which we are implementing. The Windows installer already incorporates both signing methods (as older versions of Windows don't support newer methods), but we'll be shifting over entirely to a newer standard soon during a transition period, as well as update our Linux and OSX signing methods.
        Aaron P Scooter Software

        Comment


        • #5
          Thanks, Aaron.

          Comment

          Working...
          X