I'm hosting some internal repositories using reprepro.
After the upgrade of the clients to Ubuntu 16.04, apt-get update gives a warning "InRelease: Signature by key ... uses weak digest algorithm (SHA1)".
InRelease file starts like that:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So, reprepro has signed the InRelease file with a SHA1. How can I change it to SHA256 or SHA512?
You can fix this by modifying the ~/.gnupg/gpg.conf file of the user account which will be running reprepro and adding this line to the file digest-algo sha256. All signatures made with GPG by this user will use the SHA256 digest algorithm by default, thus, signatures made by reprepro will be sha256, as well.
If you want to learn more about GPG, APT, and Debian packages, I wrote a comprehensive blog post about signing and verifying Debian packages and APT repositories that may be helpful.
gpg.confas described above, you may likely need to re-export existing repositories usingreprepro export $codenameto placate clients. – sxc731 Oct 05 '17 at 08:31gpgat least once so it creates the file. You'd have to do that anyway to create and export your key. – Alexis Wilke Sep 28 '19 at 22:15