APT weak digest warning under wheezy

Newer apt versions warn if the repository release files are signed using "weak" digests algorithms like SHA1:

W: http://mini-buildd-uff.ta.ta:8066/repositories/test/dists/sid-test-unstable/InRelease: Signature by key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF uses weak digest algorithm (SHA1)

This should usually not occur as mini-buildd is ignorant of the digest used, delegating "anything repository" down to reprepro which uses gpgme which seems to use just use gnupg's default digest. And gnupg should know best what a reasonable secure value should be, at least for stable+security.

However, if you so happen to still run mini-buildd under oldstable / wheezy at this point, gnupg by default uses SHA1, and that's no longer sufficient:

  1. Update to jessie.
  2. Manually change gnupg default values.
  3. Use a newer version of gnupg.

I would of course recommend (1.) if feasable, and not really considering (3.) (wheezy still got security support).

For anyone stuck with wheezy:

Manually change gnupg default values

In ~mini-buildd/.gnupg/gpg.conf (on your mini-buildd repository host), add:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224

While that is all there is to do, reprepro will only update the indices when there are actual package changes. So, to bulk-fix at once, do something like this

root? su - mini-buildd
mini-buildd? cd repositories/test/
mini-buildd? reprepro export

for all your repositories.

Add note to self to remove this again when you upgrade your system, so default values are used again...