typingArtist Posted July 12, 2016 Posted July 12, 2016 I think that the Armbian repository needs some fixes. 1. apt-cache policy shows the following: 500 http://apt.armbian.com xenial/main armhf Packages release o=. xenial,a=xenial,n=xenial,l=. xenial,c=main,b=armhf origin apt.armbian.com I think that o=. xenial is not intended. I’d expect o=Armbian or that like. Same applies l=. xenial. The following is the output for a standard Ubuntu repo: 100 http://ports.ubuntu.com xenial-backports/universe armhf Packages release v=16.04,o=Ubuntu,a=xenial-backports,n=xenial,l=Ubuntu,c=universe,b=armhf origin ports.ubuntu.com 2. apt-get update shows weak SHA1 An apt-get update shows the following message: W: http://apt.armbian.com/dists/xenial/InRelease: Signature by key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 uses weak digest algorithm (SHA1) Ubuntu is signing InRelease with SHA512 … perhaps Armbian could catch up here as well? Thanks for consideration, – typingArtist
Igor Posted July 12, 2016 Posted July 12, 2016 1. I never looked on this We use aptly tools for repository creation, this is the procedure. I guess we need to look into aptly manual to configure this ... 2. On 2do list for some time. We are trying to catch up. Thanks!
typingArtist Posted July 12, 2016 Author Posted July 12, 2016 Hi Igor, thanks for looking into this. 1. Seems to be fixable by specifying -origin=Armbian -label=Armbian when calling aptly publish repo. Also, the description field –currently “Generated by aptlyâ€â€“ would be cool to reflect some info about Armbian instead, however, a necessary patch to aptly is still sitting and waiting. 2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file: personal-digest-preferences SHA512 cert-digest-algo SHA512 Perhaps just one of these lines is enough. Cheers, – typingArtist
zador.blood.stained Posted July 12, 2016 Posted July 12, 2016 2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file: personal-digest-preferences SHA512 cert-digest-algo SHA512 Perhaps just one of these lines is enough. Generating new GPG key is the easy part, pushing it to existing installations before using this key for repository signing will be the hard part, and users who would skip intermediate upgrade will see apt-get warnings about untrusted GPG key.
typingArtist Posted July 13, 2016 Author Posted July 13, 2016 2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file: personal-digest-preferences SHA512 cert-digest-algo SHA512 Perhaps just one of these lines is enough. Just tried a gpg --clearsign locally, so I can confirm that just the first of the two lines is required to get SHA512 signatures for --sign and --clearsign. Generating new GPG key is the easy part, pushing it to existing installations before using this key for repository signing will be the hard part, and users who would skip intermediate upgrade will see apt-get warnings about untrusted GPG key. I think that no new GPG key is required this time. Using a specific algorithm for signing a message/file is completely independent from the key, so we can stick with the current key and just instruct gpg to use the right hashing. 1
Igor Posted July 13, 2016 Posted July 13, 2016 I added those two parameters and GPG and will pay attention on next build. Thanks.BTW: I noticed that armbian-firmware_5.14_all.deb is nowhere to be found in the repo. Our bug or aptly bug?
zador.blood.stained Posted July 13, 2016 Posted July 13, 2016 BTW: I noticed that armbian-firmware_5.14_all.deb is nowhere to be found in the repo. Our bug or aptly bug? Probably aptly bug (or "feature") due to "all" architecture of this package.
typingArtist Posted August 19, 2016 Author Posted August 19, 2016 ​Just noticed that the most recent repository update fixed both issues. ​ ​Well done, Igor! ​
Recommended Posts