Debian packages use weak digest algorithm

[jtojnar]

Trying to install Synapse on Yaketty Yak

apt-add-repository 'deb https://matrix.org/packages/debian/ yakkety main'
curl https://matrix.org/packages/debian/repo-key.asc | apt-key add -
apt-get update

produces the following warning:

W: https://matrix.org/packages/debian/dists/yakkety/InRelease: Signature by key C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61 uses weak digest algorithm (SHA1)

[ara4n]

Guest74897 just reported this too:

the packages hosted on your repo are signed with SHA1
Debian and Ubuntu enforce SHA256 or higher entries in the Release and/or Packages files since March
yeah - so basically users are unable to install or upgrade their matrix installations since march
here is the notice from the apt team: https://juliank.wordpress.com/2016/03/14/dropping-sha-1-support-in-apt/
the fix on your side is simple: you just need to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file

[Flightkick]

Any update on this? Packages still seem to be signed with SHA-1. Would love to give Synapse a try 😃

[richvdh]

I think we fixed this ages ago.