Virtualmin PPA uses weak digest algorithm (SHA1)

beat · June 2, 2020, 9:15am

apt update gives:

W: http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/Release.gpg: Signature by key 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9 uses weak digest algorithm (SHA1)

2 threads 4 years ago were already notifying this:

already reported this.

Now, Ubuntu aptitude and apt update issue warnings about those weak certificates. And apticron sends me a mail per server every day about this.

Any chances to put that pending item a bit up in the pile ? (could not reply to old auto-closed topics, so creating a new one).

Ilia · June 2, 2020, 4:13pm

Hi,

Thanks for the heads up.

@Joe Is there an easy way to fix that?

Joe · June 2, 2020, 7:52pm

You’re using old repos. I can’t change the signing key on the old repos. It’d be a breaking change for all old installs.

The /vm/6 repos (which have been around for several years) use a newer algorithm.

beat · June 3, 2020, 9:36am

Thank you Joe!
That was the solution! (suggestion: would be nice if the old repo could have a deprecation message with instructions to upgrade to new one).

For other readers, here is what I did to upgrade the Virtualmin GPL installs to new repo:

curl -L https://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin-6 | apt-key add -
vi /etc/apt/sources.list

and replace:

deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-xenial main
deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-universal main

by:

deb http://software.virtualmin.com/vm/6/gpl/apt virtualmin-xenial main
deb http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal main

system · June 7, 2020, 9:36am

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.