| Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Michael D. (DE) | 24/04/16 08:42 | APT for Debian / Ubuntu is now displaying a warning if a PPA / Repository is still using the deprecated SHA-1. It seems that the the google repository is still using SHA-1 #sudo apt-get update ... W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1) @Google-Security Team When you are treating SHA-1 certificates as unsecure in your browser, you may want to change your own SHA-1 signature key for your linux deb packets. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | JVApen | 24/04/16 10:00 | Hi Michael, The issue is already known and can you can follow its progress by starring the related bug: crbug.com/596074 You are the first Ubuntu user which indicates this issue, so I guess 16.04 also contains the version with the warning. (Previously only Debian users) JVApen |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Jürgen Schnake | 27/04/16 03:51 | Just to not let Michael be the only one to report it: Yes, indeed Ubuntu 16.04 reports this regularly. Would be nice if you guys could fix it :-) Thanks in advance! |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Achim Behrens | 27/04/16 15:48 | i already filed a bug about that in march while testing 16.04. Google told me to change the keys with the next release of chrome for the chrome (and google music manager) repo. which they didnt. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Ahmad Darwiche | 28/04/16 00:13 | Hi, I'd like to join Michael & Jurgen, I've the same warning too, I tried to remove Chrome & install it again, but same problem. Thanks |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Rakshith Ravi | 28/04/16 05:20 | I can confirm the warning in my 16.04 system too |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Nettlebay | 28/04/16 08:51 | Me too (Ubuntu Mate 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Willi Malandruccolo | 28/04/16 12:58 | Me too...
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1) I also had to modify the repository to prevent the i386 architecture as follows .. deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main #Google |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Abhinav Pratap Singh | 30/04/16 05:13 | Me too (Ubuntu 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Sudhanshu!! | 30/04/16 14:02 | Me too (Ubuntu Gnome 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Eric Valette | 02/05/16 05:22 | This is also the case when using debian unstable and probably testing. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | acutbal | 03/05/16 03:36 | Me too, Ubuntu 16.04 and Ubuntu Mate 16.04. Not only for Chrome, also for Google Music Manager. Would be nice if you could fix it in both repos. Thank you very much! |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | jazzmale | 03/05/16 04:57 | GoogleEarth stable W: http://dl.google.com/linux/earth/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1) E: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/Release No Hash entry in Release file /var/lib/apt/lists/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Manky Gitt | 03/05/16 18:39 | Me too: Ubuntu 16.04LTS x64. Note, I encountered
the same error for other apps (Oracle Virtual Box for example), and the
solution for those was to download and import the updated public key:wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -I had the weak key warning from APT for Google Chrome / Google Music Manager, and reimported the public key from the google repository, but it has not been updated (yet). I have tried re-adding the key from google, just in case there was a problem at my end, but to no avail. I guess we just wait for the new key to be issued, and either live with the warning (it doesnt break anything), or stop using the repo and instead download and install the .deb packages manually. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Manky Gitt | 03/05/16 19:08 | Sorry - I should be more specific: |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Krasimir Nikolow | 06/05/16 08:06 | Me too (Ubuntu 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Алексей Варфоломеев | 06/05/16 12:22 | Confirm this on Ubuntu 16.04:
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Stefan Novak | 06/05/16 23:59 | I solved this issue after 16.04 upgrade by reinstalling google-chrome-stable package. I removed package, removed repository, then istalled new from google site. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Manky Gitt | 07/05/16 00:39 | By solving this, do you mean that not only uninstalling the package, you also purged your repository sources list of the offending Google Repository and resorted to the manual installation workaround whereby you will not get automatic updates via standard software update management in Ubuntu? I see this as a workaround to the actual problem which is that Google's repository signature is using a deprecated algorithm offering lower security than is now acceptable. This does solve the problem of apt-get update no longer complaining about a weak key. It doesn't solve the problem where many people want installation via repository (including automated update management).sudo apt-get update Let everyone know the result of this. Also please if possible share the step-by-step that includes cleaning up your repository sources. There are several methods for managing this. It is always wonderful when a step-by-step is shared. For my part, I do not remove the offending entry from the repository completely. I simply comment it out. In the GUI "Software & updates" you can simply "uncheck" the entry http://dl.google.com/linux/chrome/deb/ stable main You do not have to uninstall the Google Chrome application. It will continue to function just fine. It will no longer be updated when APT performs a check of updated software available across the repositories. This is the same effect as manually installing the .deb file downloaded from Google directly. However, when the new Key is issued, and you import it, you should be able to simply re-enable the repository source to again enjoy automated updating of your Chrome package. When a new key is available, you will need to download it and import it to your trusted key store. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Alexey Pivovarsky | 09/05/16 13:49 | Me too (Ubuntu 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Alan Fry | 11/05/16 08:46 | Me too. Ubuntu Mate 16.10 |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Ahmed Raof | 11/05/16 08:52 | نعم فعلا |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Dmitry Vandenvin | 11/05/16 22:57 | I just removed Chrome and no pain any more. There a lot of browsers. Firefox works perfect BTW |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | samson mwangi | 12/05/16 15:09 | Chromium and Mozilla may also be an alternative |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Adrián Ocampo Villegas | 13/05/16 06:42 | Is there any solution to this problem? |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Ivan Todorovic | 16/05/16 08:17 | +1, will solution be available soon? |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | JVApen | 16/05/16 13:55 | Hi all, please see my first answer. I keep nagging to get some information however, the only thing I know is: They are working on it. I wish that I had better news :( JVApen |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Raouf Selwaness | 18/05/16 18:06 | I have the same error too would like to resolve it ASAp |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Jabed Bangali | 19/05/16 00:57 | I also fetch this issue. :( |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Mic Gio | 20/05/16 06:06 | Still not solved :o |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Cristian Alejandro Rojas | 21/05/16 16:56 | Still showing warnings. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Iron Enthusiast | 22/05/16 09:23 | Of course, but I don't know of any other browsers with a Netflix plugin however. Chrome streams Netflix perfectly. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Harridu | 23/05/16 00:06 | metoo (Debian Testing) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Ralph Shoemaker | 23/05/16 14:27 | W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1) W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1) Fix this |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Kirk Sale | 24/05/16 07:06 | Me too (Ubuntu 16.04) |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Kast Labs | 25/05/16 13:24 | me too Kali GNU/Linux Rolling \n \l Fuck chrome! |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Jürgen Schnake | 11/06/16 01:32 | After waiting for Google to fix this for several weeks, today I uninstalled Chrome. Went back to Opera which turned out to have become a fantastic Chromium-based Browser in the meantime. And there's more: Because I feel the need to synchronise systems, I also turned to Opera mini on mobile. Which is surprisingly better handling scrolling and tabs than Chrome did. All in all it seems I have to thank Google for doing obviously nothing on this matter... |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | luis mokos | 11/06/16 15:55 | guys i see the same warning too on my ubuntu 16.04 system! this is just a warning! from what i asume, i believe that the sha1 hashing is low security, at least noone is hashing with sha1 in php and html anymore. google on the other hand is using sha1 hashing for the ppa keys and this is just a reminder from ubuntu that they should upgrade the security of their keys... I dont know how to disable it though!! your system is fine!!! and i repeat!!!! ITS NOT AN ERROR IN YOUR MASHINE!!!! |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | Alan Fry | 13/06/16 04:28 | Luis, you are missing the point. We all know that this is just a warning thrown up by apt and that it is not a fault. It is merely showing that the SHA1 hashes used by Google are insecure. What is does show is that ... 1 Google repos are potentially insecure. 2 This has been public knowledge for about 3 months. 3 Google, as an entity, has little interest in correcting this although it clearly knows that this insecure state is fact. https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html 4 Google is one of the richest companies on the planet so this just cannot be a resource/cost issue Each and every time that a Linux system refreshes the repo list, where Google repos are used, this warning is displayed. Google need to fix it by using SHA256 hashes. |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | JVApen | 13/06/16 17:54 | Hi Alan and others, I guess everyone sees the irony in this bug, though please register yourself on that bug by staring it (left top corner after login) From what I can read in that bug, the most important work is done to upgrade the keys and there is some hidden bug which most likely represents the internal spread of this key. Right now mmoss is looking at this, so I hope this gets fixed in the next few days. JVApen |
| Re: Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1 | JVApen | 16/06/16 18:45 | Hi all, it looks like crbug.com/596074 is fixed and the encryption has been upgraded. However some local caching is giving new warnings: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/main/binary-amd64/Packages Hash Sum mismatch These can be fixed by running following commands (you can replace aptitude by apt-get if you like) on Debian, Ubuntu and derivatives. I don't have instructions for RedHat-based distros.
(Tnx to PeterJB for sharing) JVApen |