Ubuntu 18.04 Server
Using the virtualmin-universal
repository results in:
# apt-get update
Ign:16 http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release.gpg
Reading package lists... Done
W: GPG error: http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release: The following signatures were invalid: 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9
E: The repository 'http://software.virtualmin.com/gpl/ubuntu virtualmin-universal Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
This is due to the signing key still using SHA1 despite many years of warnings to upgrade the signing algorithm and promises in forum posts by staff to upgrade since at least 2016.
A response of “downgrade your local apt security” is not an acceptable answer (Acquire::AllowDowngradeToInsecureRepositories=true
).
There is no reason the Release file cannot be signed by both weak and strong keys and both signatures put in the Release.gpg files.
/etc/apt/trusted.gpg.d/virtualmin.gpg
-------------------------------------
pub dsa1024 2005-07-11 [SC]
31D2 B188 72EA F68E FB81 F81D E8DD 3FA0 A0BD BCF9
uid [ unknown] Virtualmin, Inc. <security@virtualmin.com>
sub elg2048 2005-07-11 [E]
pub rsa4096 2017-05-01 [SC] [expires: 2024-04-29]
E36F 0664 7D8E BD2B E364 2BCE D9F9 0107 60D6 2A6B
uid [ unknown] Virtualmin, Inc. (Package signing key for Virtualmin 6) <security@virtualmin.com>
sub rsa4096 2017-05-01 [E] [expires: 2024-04-29]