Apt-get (or dpkg) warns of weaks digest algorithm use by signature

[ThomasdOtreppe]

Elasticsearch version: 2.3

OS version: Ubuntu 16.04

Description of the problem including expected versus actual behavior:
Warning from apt-get when installing ElasticSearch (and Logstash): W: http://packages.elastic.co/elasticsearch/2.x/debian/dists/stable/Release.gpg: Signature by key 46095ACC8548582C1A2699A9D27D666CD88E42B4 uses weak digest algorithm (SHA1

Notes:

• It installs just fine, it just warns.
• The same applies to Logstash.

Steps to reproduce:

1. Add elastic GPG key as explained in the documentation
2. Add elasticsearch repository to sources list and update: apt-get update
3. Run apt-get install elasticsearch -y

[clintongormley]

@drewr presumably this applies to anything signed by our key. Any ideas here?

[girirajsharma]

The release seems to be half-broken due to SHA1 removal by debian(apt) in newer OS versions. It has affected many repositories and they intend to shut off SHA1 completely on January 1, 2017.

The repository owner needs to pass --digest-algo SHA512 or --digest-algo SHA256 (or another SHA2 algorithm) to gpg when signing the file. Repositories with DSA keys need to be migrated to RSA first.
SHA1 support is not yet dropped, they merely do not consider it trustworthy.

Please check here for more info : https://wiki.debian.org/Teams/Apt/Sha1Removal

[clintongormley]

thanks for this info @girirajsharma, very helpful!

[spinscale]

so this is the Release.gpg file, which is created by the deb-s3 tool on deployment... deb-s3 supports an option to add arbitrary GPG parameters.

However I have no idea, if that would affect older distributions and if this is the only issue or just masking another one with the package itself.

[s1monw]

@clintongormley @drewr @rjernst @spinscale any news on this