weak digest algorithm (SHA1)


I am slowly getting to grips with virtualmin on ubuntu 16 - i am getting the following error on updates, seems like something on the repo side needs to be updated.

All packages are up to date.
W: http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-xenial/Release.gpg: Signature by key 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9 uses weak digest algorithm (SHA1)
W: http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-universal/Release.gpg: Signature by key 31D2B18872EAF68EFB81F81DE8DD3FA0A0BDBCF9 uses weak digest algorithm (SHA1)

“apt-key list”


pub 1024D/11F63C51 2002-02-28
uid Jamie Cameron jcameron@webmin.com
sub 1024g/1B24BE83 2002-02-28

pub 1024D/A0BDBCF9 2005-07-11
uid Virtualmin, Inc. security@virtualmin.com
sub 2048g/CB9262B0 2005-07-11

i found a couple of references, seems there is nothing i can do but try and ignore the depreciated key at the moment.



I have just upgraded to Xenial from Trusty on Ubuntu, and I’m having the same problem. Does VM not have an SHA256 signature?

Same issue here. Virtualmin needs to update their default cert-digest-algo to be SHA256. By default gnupg defaults to using SHA1. These values go on the repository server in the gpg.conf which that Virtualmin is using.

The short hand is to append:
cert-digest-algo SHA256
digest-algo SHA256

To their gpg.conf file.

Note to other users experiencing this issue. There is nothing you can do to correct this on your end. These changes need to be made by Virtualmin.

Yes, that’s my understanding too. Can’t understand why the good folks at Virtualmin can’t sort this annoyance out! Not like them…

Yes it is a minor annoyance, I would like to see them fix it.