Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-717

Package Repository Signing Key Weak

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When doing an apt-get update or apt-get dist-upgrade on my Jenkins server, I get an error from APT saying "http://pkg.jenkins-ci.org/debian/binary/Release.gpg: Signature by key 150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6 uses weak digest algorithm (SHA1)", The signing key should be upgraded from SHA1 to SHA2 (or higher) to resolve this.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: R. Tyler Croy
            Path:
            deb/publish/publish.sh
            http://jenkins-ci.org/commit/packaging/e50139c6804bbaf77942fc4db024c4e27509ac78
            Log:
            Merge pull request #80 from jenkinsci/INFRA-717

            INFRA-717 sign with SHA-2

            Compare: https://github.com/jenkinsci/packaging/compare/008343f65cd2...e50139c6804b

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: R. Tyler Croy Path: deb/publish/publish.sh http://jenkins-ci.org/commit/packaging/e50139c6804bbaf77942fc4db024c4e27509ac78 Log: Merge pull request #80 from jenkinsci/ INFRA-717 INFRA-717 sign with SHA-2 Compare: https://github.com/jenkinsci/packaging/compare/008343f65cd2...e50139c6804b
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            I sent an email to debian APT team for some clarification. Assuming that doesn't make me revisit my fix, this change will take effect starting the next weekly release.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - I sent an email to debian APT team for some clarification. Assuming that doesn't make me revisit my fix, this change will take effect starting the next weekly release.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -
            Show
            kohsuke Kohsuke Kawaguchi added a comment - link to the email thread
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            The change is deployed and the warning should have gone away.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - The change is deployed and the warning should have gone away.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            I should qualify this. The change is deployed to the mainline releases.

            Signatures on LTS releases are updated when the next release happens, which is due in 2 weeks.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - I should qualify this. The change is deployed to the mainline releases. Signatures on LTS releases are updated when the next release happens, which is due in 2 weeks.

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                smccloud Shaun McCloud
              • Votes:
                18 Vote for this issue
                Watchers:
                22 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: