Ticket #473 (new defect)

Opened 3 years ago

Last modified 21 months ago

Signature by key ... uses weak digest algorithm

Running Ubuntu 16.04 it's no longer possible to use APT with your repository. Could you please generate a longer one :)

W: http://download.telldus.com/debian/dists/stable/Release.gpg: Signature by key 70C410C9D73D53E838B31C585A949181E501EA76 uses weak digest algorithm (SHA1)
$ lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial

Change History

comment:1 Changed 21 months ago by linus wallgren <linus.wallgren+telldus@…>

This issue (which also affects debian) has resulted in me not being able to use my telldus device. Please prioritize it higher!

comment:2 Changed 21 months ago by daz jobb <stefan.persson@…>

We are currently in the process of moving the debian repository. Temporarily it can be found, with a new digest algorithm, at  https://s3.eu-central-1.amazonaws.com/download.telldus.com instead of download.telldus.com. The key is of course the same.

There is also a beta version of telldus-core if using "stretch main" instead of "stable main" with updated dependencies for Debian 9, and newer Ubuntu versions ( telldus-core_2.1.3-beta1-1_amd64.deb ).

comment:3 Changed 21 months ago by linus wallgren <linus.wallgren+telldus@…>

Worked wonders using that URL (well, I used it over http), thank you very much!

If your intention is to let users use the debian repository over https (which is good, but not necessary as the content is signed) you need to remember to let users know to install apt-transport-https, as that is not installed at least on debian per default.

I have currently got around the issues with dependencies by simply installing older versions of libconfuse0 and libconfuse-common, which worked, but if/when I get some time I will try out the beta version.

comment:4 Changed 21 months ago by jonas marklén <txc@…>

Why even have a Trac when you don't use it?

