Recommended Posts

I think that the Armbian repository needs some fixes.

 

1. apt-cache policy shows the following:

 500 http://apt.armbian.com xenial/main armhf Packages
     release o=. xenial,a=xenial,n=xenial,l=. xenial,c=main,b=armhf
     origin apt.armbian.com

I think that o=. xenial is not intended. I’d expect o=Armbian or that like. Same applies l=. xenial.

 

The following is the output for a standard Ubuntu repo:

 100 http://ports.ubuntu.com xenial-backports/universe armhf Packages
     release v=16.04,o=Ubuntu,a=xenial-backports,n=xenial,l=Ubuntu,c=universe,b=armhf
     origin ports.ubuntu.com

2. apt-get update shows weak SHA1

 

An apt-get update shows the following message:

W: http://apt.armbian.com/dists/xenial/InRelease: Signature by key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 uses weak digest algorithm (SHA1)

Ubuntu is signing InRelease with SHA512 … perhaps Armbian could catch up here as well?

 

Thanks for consideration,

– typingArtist

 
Link to post
Share on other sites
Armbian is a community driven open source project. Do you like to contribute your code?

Hi Igor,

 

thanks for looking into this.

 

1. Seems to be fixable by specifying -origin=Armbian -label=Armbian when calling aptly publish repo. Also, the description field –currently “Generated by aptlyâ€â€“ would be cool to reflect some info about Armbian instead, however, a necessary patch to aptly is still sitting and waiting.

 

2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file:

personal-digest-preferences SHA512
cert-digest-algo SHA512

Perhaps just one of these lines is enough.

 

Cheers,

– typingArtist

Link to post
Share on other sites

2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file:

personal-digest-preferences SHA512
cert-digest-algo SHA512

Perhaps just one of these lines is enough.

Generating new GPG key is the easy part, pushing it to existing installations before using this key for repository signing will be the hard part, and users who would skip intermediate upgrade will see apt-get warnings about untrusted GPG key.

Link to post
Share on other sites

2. I’m not a GPG expert, but it seems the following two lines have to be added/updated in the relevant gpg.conf file:

personal-digest-preferences SHA512
cert-digest-algo SHA512

Perhaps just one of these lines is enough.

Just tried a gpg --clearsign locally, so I can confirm that just the first of the two lines is required to get SHA512 signatures for --sign and --clearsign.

 

 

Generating new GPG key is the easy part, pushing it to existing installations before using this key for repository signing will be the hard part, and users who would skip intermediate upgrade will see apt-get warnings about untrusted GPG key.

I think that no new GPG key is required this time. Using a specific algorithm for signing a message/file is completely independent from the key, so we can stick with the current key and just instruct gpg to use the right hashing.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.