10

I'm running Chrome 50.0.2661.102 (64-bit) on Ubuntu 16.04 x64 and today sudo apt-get update failed with the following message:

...
Err:28 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
  Hash Sum mismatch
...
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
E: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/main/binary-amd64/Packages.bz2  Hash Sum mismatch
E: Some index files failed to download. They have been ignored, or old ones used instead.

Here is my /etc/apt/sources.list.d/google-chrome.list

### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main

And lines 23-25 of /opt/google/chrome/cron/google-chrome

# sources.list setting for google-chrome updates.
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
REPOCONFIGREGEX="deb (\[arch=[^]]*\bamd64\b[^]]*\][[:space:]]*) https?://dl.google.com/linux/chrome/deb/ stable main"

As suggested by the answers to Trouble downloading packages list due to a "Hash sum mismatch" error, I tried

sudo apt-get clean
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update

but problem remains.

Is the issue related to Google servers or is it somehow a configuration problem on my side ?

Update 1: The problem seems to come from Google... Until they fix it, either /etc/apt/sources.list.d/google-chrome.list should be removed or the deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main line should be commented out...

Update 2: The "Hash Sum mismatch" error has been fixed (but the "weak digest algorithm" warning is still there. This isn't a deal breaker for me since now apt-get returns 0 and I can run sudo apt-get update && sudo apt-get -y upgrade without a problem)

maddouri
  • 201
  • I tried to remove the repos and reinstall, and now they give no install candidate. However, I did remove it, and downloaded the .deb directly from Google and that seems to work fine for now. My guess is there is a problem in the google repository. – Terrance May 12 '16 at 22:00
  • Would I loose all my config, data and plugins when I apt-get remove google-chrome-stable before installing it from the .deb again ? – maddouri May 12 '16 at 22:03
  • Mine seemed to stay OK. I think the config files are stored in your home directory and if you don't purge google-chrome-stable when you remove, it should be fine. – Terrance May 12 '16 at 22:05
  • Plus, when you install, if you sign in, it should prompt you to sync all back into it. – Terrance May 12 '16 at 22:08
  • I've just reinstalled it (using GDebi): same problem. – maddouri May 12 '16 at 22:14
  • You need to remove the repository as well from the system. Probably the /etc/apt/sources.list.d/google-chrome.list file needs to be deleted. – Terrance May 12 '16 at 22:15
  • Well, I've just did that too. Now chrome is installed, (btw, no data/config/package lost) apt-get update finishes successfully but /etc/apt/sources.list.d/google-chrome.list has not been created by the setup process... – maddouri May 12 '16 at 22:20
  • Yeah, it won't create it. This might need to have a bug filed with google to have it fixed, but for now this seems to work. – Terrance May 12 '16 at 22:21
  • 1
    Actually looks like they just fixed it. I did not get the error this time. =) – Terrance May 12 '16 at 22:35
  • Yes, thanks for notifying me. I have updated the post now. – maddouri May 12 '16 at 22:41
  • You're very welcome! =) – Terrance May 12 '16 at 22:41

2 Answers2

9

I'm getting this same exact error "hash sum mismatch" on both Ubuntu 14.04 as well as Ubuntu 16.04, and only 16.04 complains about the encryption algorithm.

The source of this problem seems to be twofold:

  1. apt deprecated sha1 recently, which explains the warnings we have been getting from the google repo since the latest LTS was released.
  2. Google was going to provide a fix for the "weak digest algorithm" warnings at some point: (https://bugs.chromium.org/p/chromium/issues/detail?id=596074)

The following is speculative, but seems to fit the symptoms we're seeing:

Google may have rolled out new hashes that no longer match the GPG pub key signatures that everyone is using, presumably these are no longer sha1sums. This might mean they've created hashes for new keys, but have yet to publish new GPG pubkey sigs to go with them for the repo, hence the hash mismatch.

If this turns out to be true, besides being incredibly annoying, there's not much we can do until Google gets their act together.

I suspect this is just a matter of time, and we should see a fix soon(ish),in the form of new GPG pubkey signatures we should be using. It should be easy to add the latest ones with:

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Assuming of course that the link to the new keys doesn't change; I'm going to be keeping an eye out for changes there.

If you're frustrated with the messages, you can disable them by commenting out the sources in /etc/apt/sources.list.d/google-chrome.list.

software-properties-gtk will allow you to remove any of Google's existing signatures in the authentication tab, before adding the new ones.

And if you've deleted the repo files (like I did several times today) you can setup the repos properly by installing the .deb again, just make sure you set the repo_add_once variable to "true" in /etc/defaults/google-chrome. The file should look like this:

repo_add_once="true"
repo_reenable_on_distupgrade="true"

This of course is NOT a fix for anything at the moment, but will configure everything properly again. Also, last little caveat - the script that installs the repos usually has a copy of the GPG signature in it, so you might want to update the apt-key again before you do an apt-get update.

Here's hoping this problem goes away soon.

John P Santos
  • 91
  • UPDATE: The hash problem seems to have spontaneously gone away when I run apt-get update now. Looks like google reverted the hash sums to what it was. – John P Santos May 12 '16 at 23:39
  • Looks like the problem may have been in the hash sig for either google-chrome-beta or google-chrome-unstable, it appears both have had updates, and now no more error. Checked the hashes for the stable branch and they are identical. Not sure what the deal is. Weird. – John P Santos May 12 '16 at 23:56
0

I don't know if I had set this (I don't know why I would have set this) or if Google/Chrome had set this but /etc/apt/sources.list.d/google-chrome.list had the immutable flag set. When this is set it means a file cannot be changed or modified.

I don't know if this only affected me (in the event I set this myself for some reason) or if this is the root cause and was set by Google.

Run the command lsattr /etc/apt/sources.list.d/google-chrome.list. If the 5th character is an i instead of a - than it means the immutable flag is set.

Immutable flag set: ----i--------e-- /etc/apt/sources.list.d/google-chrome.list

Immutable flag not set: -------------e-- /etc/apt/sources.list.d/google-chrome.list

If the the immutable flag is set than you can fix this by running sudo chattr -i /etc/apt/sources.list.d/google-chrome.list && sudo apt-get update

Please let me know if this is set on your system in the comments. I can't imagine why I would have set it but if it is set on other peoples systems than I know this came from Google and not from me.

UPDATE: I compared /etc/apt/sources.list.d/google-chrome.list past and present since I use etckeeper and I do not see any changes to the file itself which makes me question the validity of the immutable bit however disabling the immutable bit does seem to have resolved the issue for me.

UPDATE: I manually re-enabled the immutable bit and then ran sudo apt-get update and it did not cause the problem to re-occur. I am wondering about the validity of my answer but I am looking forward to some feedback to determine if this did cause it. If it did than I am not sure why it did if the file wasn't changed.

jetole
  • 101
  • 1
  • I have manually removed then re-created the file when I reinstalled chrome. When I run lsattr, it seems that the immutable flag is not set. – maddouri May 12 '16 at 22:49
  • @865719 if you could do that, it wasn't immutable in the first place. – muru May 12 '16 at 22:52