Results 1 to 5 of 5
  1. #1
    Join Date
    Jun 2016
    Posts
    1

    Question apt update warning - Signature uses weak digest algorithm (SHA1)

    When I run "apt update" I currently get this warning with Ubuntu 16.04:

    W: http://www.scootersoftware.com/dists/bcompare4/Release.gpg: Signature by key C9467A8216C570CDFBAC3AFD331D6DDE7F8840CE uses weak digest algorithm (SHA1)

    Can this be fixed?

  2. #2
    Join Date
    Oct 2007
    Location
    Madison, WI
    Posts
    11,947

    Default

    Yes, this is something we'll need to implement, as the security standards are strengthened over the next year for various key signing of installers. It's on our to do list to tackle this before the SHA1 standard expires.
    Aaron P Scooter Software

  3. #3
    Join Date
    Dec 2007
    Location
    U.S. East coast
    Posts
    303

    Default

    Is this really a security issue? I don't see how someone could exploit this.

  4. #4
    Join Date
    Oct 2007
    Location
    Madison, WI
    Posts
    11,947

    Default

    Someone could theoretically create an alternate installer that looks like it is signed properly using SHA1. There's a security consensus to move to alternate signing methods, which we are implementing. The Windows installer already incorporates both signing methods (as older versions of Windows don't support newer methods), but we'll be shifting over entirely to a newer standard soon during a transition period, as well as update our Linux and OSX signing methods.
    Aaron P Scooter Software

  5. #5
    Join Date
    Dec 2007
    Location
    U.S. East coast
    Posts
    303

    Default

    Thanks, Aaron.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •