Unable to repro this issue on Ubuntu Trusty (14.04) for Google Chrome Stable Version - 49.0.2623.87

Got this message in the Terminal:

Fetched 34.9 kB in 3s (10.6 kB/s)
Reading package lists... Done

@thiagocmartinsc: Could you please re-test the same and let us know your observations.

Thank you.

You will not be able to reproduce this with Ubuntu 14.04, since this check for weak signatures (DSA) is a new feature of apt-1.2.7, present in Debian Unstable or Ubuntu Xenial.

See also https://tracker.debian.org/news/755358

It seems that the problem will be fixed by the repository owner.

For more information:
https://wiki.debian.org/Teams/Apt/Sha1Removal

This problem has to be fixed by Google/Chromium Team as it's their repository.It's getting annoying, so please fix. Thank-you.

Hey, while you're at it. Could you maybe make Google's Debian repositories more compliant to the standard repository layout?

Trying to mirror Google's repositories with the usual tools is always complicated and it already starts with the fact that it's not possible to list the repositories in a regular browser which would allow to inspect them.

They also lack separate repositories for Debian stable, testing and unstable.

We're mirroring Google's repositories locally because Google Chrome is deployed onto over 200 Debian machines here and having them update through Google's regular repositories would slow the regular dist-upgrades a lot.

Opera does a nice job with their repository [1] and it's rather easy to mirror it locally. Would be great if Google could improve their repositories in that regard.

As for this particular bug: I would suggest raising the priority - if possible - since in some cases this issue prevents Google Chrome from being updated.

Cheers,
Adrian

> [1] http://deb.opera.com/manual.html

The original issue was fixed a while ago (by adding sha256 hashes to the repository metadata). Updating the keys used for signing is being handled internally, since they are Google-wide keys and are not controlled by the Chromium team. I believe new keys should roll out in a few days.

As for #7, the repository layout is standard, and standard tools have no problems with it. Whether or not the server (which we also don't control) provides directory listings is a completely different issue, and shouldn't affect the ability to mirror the repos, which I know many people are doing successfully.

dear all manteiners,
could you please update the right key in order to get the latest google-chrome-stable package in ubuntu 16.04?

many thanks,
best regards

please update for ubuntu 16.04 ;)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key xxxxxx uses weak digest algorithm (SHA1)

Reported by thiagocm...@gmail.com, Mar 18, 2016 
today is April 25 


"dear all manteiners,
could you please update the right key in order to get the latest google-chrome-stable package in ubuntu 16.04".... 
please update for ubuntu 16.04 ;)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key xxxxxx uses weak digest algorithm (SHA1)
I can't do this, way beyond me, but can someone explain why this seems so hard to accomplish.

Mee too:

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

Same here for a while

`W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)`

Same here on Ubuntu 16.04. and Google Chrome Stable

$ cat /etc/apt/sources.list.d/google.list
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
$ sudo apt update
...
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

Could someone at Chromium lock comments?

@all: it's just a warning!

> Could someone at Chromium lock comments?

If you are not the maintainer, unsubscribe. If you are, you can silence the comments by fixing the problem.

> @all: it's just a warning!

It's a security warning. Some people take security seriously.

> It's a security warning. Some people take security seriously.

It's a change in behavior of APT, APT used to do just fine, and all people on older versions of Ubuntu still validate the SHA1 happily and silently, and all those users aren't aware of the "issue" and/or don't care. TL;DR: it works the same as before / with older APT versions, so it's not less secure, it just warns. So, yes, it needs to be fixed, but it's not more urgent now than it was one month ago.

wrt unsubscribing: I starred the issue because I want to signify I'm concerned about it and want it to be fixed; but comments that say nothing but "me too" are just noise; and AFAICT you can't disable notifications for a single issue (unless you "unstar" it).
All we want is have news from Chromium's side; I don't think there's anymore to add from anyone else, so they should just lock comments.

> It's a change in behavior of APT, APT used to do just fine, and all people
> on older versions of Ubuntu still validate the SHA1 happily and silently,
> and all those users aren't aware of the "issue" and/or don't care. TL;DR:
> it works the same as before / with older APT versions, so it's not less
> secure, it just warns. So, yes, it needs to be fixed, but it's not more
> urgent now than it was one month ago.

The important point is that package repos are insecure (according to Google themselves[1]). SHA1 deprecation was announced in 2011, so there was plenty of time to update. The difference is that people are now starting to notice the problem. If the warning appeared earlier, the problem would have likely been fixed earlier as well.

[1] https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

Hi maintainers,
I see it is already signed by a new key which is 4096 bits. And there is sha256 checksum inside Release file. However  the hash for Release file itself is still using SHA1. 
So the warning still exists.

felansu@felansu-ware:~$ sudo apt-get update
Hit:1 http://br.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://br.archive.ubuntu.com/ubuntu xenial-updates InRelease                                      
Hit:3 http://br.archive.ubuntu.com/ubuntu xenial-backports InRelease                                    
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease                                            
Hit:5 http://security.ubuntu.com/ubuntu xenial-security InRelease                                       
Hit:6 http://dl.google.com/linux/chrome/deb stable Release                                              
Hit:7 http://archive.canonical.com xenial InRelease                                            
Hit:9 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease                   
Hit:10 http://repository.spotify.com stable InRelease                    
Hit:11 http://ppa.launchpad.net/webupd8team/java/ubuntu xenial InRelease
Hit:12 https://packagecloud.io/slacktechnologies/slack/debian jessie InRelease
Reading package lists... Done 
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: There is no public key available for the following key IDs:
1397BC53640DB551
W: https://packagecloud.io/slacktechnologies/slack/debian/dists/jessie/InRelease: Signature by key F86AA916A2195E121AEDB11437BBEE3F7AD95B3F uses weak digest algorithm (SHA1)

$ gpg --recv-keys 1397BC53640DB551
$ gpg --export 1397BC53640DB551 |sudo apt-key add -

But that doesn't really solve the issue:
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

We're aware the changes are not complete yet, which is why the bug hasn't been closed yet.

Two different workarounds have been posted here: https://www.reddit.com/r/linux4noobs/comments/4grdo7/an_error_occurred_w_there_is_no_public_key/:

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Or:

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1397BC53640DB551

It doesn't work, at least for my 64bit Xenial installation.

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
N: Los datos de un repositorio como este no se pueden autenticar y por tanto su uso es potencialmente peligroso.
N: Vea la página de manual apt-secure(8) para los detalles sobre la creación de repositorios y la configuración de usuarios.
W: http://dl.google.com/linux/mod-pagespeed/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/talkplugin/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/webdesigner/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/earth/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/musicmanager/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
E: Fallo al obtener http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No existe una entrada «Hash» en el archivo «Release» /var/lib/apt/lists/partial/dl.google.com_linux_talkplugin_deb_dists_stable_Release, lo cual se considera suficientemente robusto para propósitos de seguridad
E: Fallo al obtener http://dl.google.com/linux/webdesigner/deb/dists/stable/Release  No existe una entrada «Hash» en el archivo «Release» /var/lib/apt/lists/partial/dl.google.com_linux_webdesigner_deb_dists_stable_Release, lo cual se considera suficientemente robusto para propósitos de seguridad
E: Fallo al obtener http://dl.google.com/linux/earth/deb/dists/stable/Release  No existe una entrada «Hash» en el archivo «Release» /var/lib/apt/lists/partial/dl.google.com_linux_earth_deb_dists_stable_Release, lo cual se considera suficientemente robusto para propósitos de seguridad
E: Fallo al obtener http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No existe una entrada «Hash» en el archivo «Release» /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, lo cual se considera suficientemente robusto para propósitos de seguridad
E: No se han podido descargar algunos archivos de índice, se han omitido, o se han utilizado unos antiguos en su lugar.


Solve it please, it's very annoying

Beside Debian and Ubuntu, this issue is now also popping up on OpenSuse.
(See https://productforums.google.com/forum/#!topic/chrome/p0cmATifsFk and https://forums.opensuse.org/showthread.php/517447-Problems-with-Getting-Google-Chrome-to-update)

Using 64 bit Ubuntu Gnome edition for the desktop

brian$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04 LTS
Release:	16.04
Codename:	xenial


brian$ sudo apt-get update
[sudo] password for paul: 
Hit:1 http .....
...
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: There is no public key available for the following key IDs:
1397BC53640DB551

Me too, Ubuntu 16.04 and Ubuntu Mate 16.04. Not only for Chrome, also for Google Music Manager. Would be nice if you could fix it in both repos. Thank you very much!

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/musicmanager/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
E: Fallo al obtener http://dl.google.com/linux/musicmanager/deb/dists/stable/Release  No existe una entrada «Hash» en el archivo «Release» /var/lib/apt/lists/partial/dl.google.com_linux_musicmanager_deb_dists_stable_Release, lo cual se considera suficientemente robusto para propósitos de seguridad
E: No se han podido descargar algunos archivos de índice, se han omitido, o se han utilizado unos antiguos en su lugar.

I have the same issue, it's really annoying:

$ sudo apt-get update
Hit:1 http://gb.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease                                                                                 
Hit:3 http://gb.archive.ubuntu.com/ubuntu xenial-updates InRelease                                                                                           
Ign:4 http://dl.google.com/linux/chrome/deb stable InRelease                                                                                                 
Hit:5 http://gb.archive.ubuntu.com/ubuntu xenial-backports InRelease                                                                                         
Hit:6 http://dl.google.com/linux/chrome/deb stable Release                                                                                          
Hit:7 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                             
Hit:8 http://repository.spotify.com testing InRelease                    
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

It's not a real issue (yet). It's a warning, so everything is working.


2016-05-07 12:14 GMT+02:00 kalekold@googlemail.com via Monorail
<monorail@chromium.org>:

Reading package lists... Done 
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: There is no public key available for the following key IDs:
1397BC53640DB551

@24: Please do not work around missing public key warnings. That severily weakens your security. (also @32:) That APT shows "There is no public key available for the following key IDs:" will be fixed in the next APT release (1.2.12), and should just be ignored.

Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/talkplugin/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
E: Failed to fetch http://dl.google.com/linux/talkplugin/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_talkplugin_deb_dists_stable_Release which is considered strong enough for security purposes
E: Some index files failed to download. They have been ignored, or old ones used instead.

Yes, please fix!
"Annoying it is yes. Fix you must! Hmmmm!" -- Yoda

@33 I just did apt upgrade on debian testing which installed apt 1.2.12. Still another apt update shows that the this is not fixed.

@mmoss / @thestig - what's left on this? it looks like bug 603808 is closed, so at least some keys rolled out. Is there another set also needed?

[Debian/Ubuntu APT perspective]

It looks the key is migrated (4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 is shipped in the -stable deb and installed by the cron script).

What's still missing for APT to shut up is fixing whatever generates the repository: While that signs with both keys now, the RSA signature still uses SHA1. That's basically nothing more than passing an option to GPG (e.g.,  --digest-algo SHA256).

Once that's fixed, APT should produce no warnings anymore.

The old key can then be dropped later on from the package, but with the server changes, at least the warning will be gone.

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)

I hope that the Google Talk plugin repository is considered as part of this issue as well (http://dl.google.com/linux/talkplugin/deb/)

+1 for google talk plugin. If not, can we get an assist on where to go to follow that issue?

Sorry for the delay. I'll try to get this wrapped up shortly, and will push updated repository signatures for other products as well (e.g. remote-desktop, talkplugin, etc.).

Sounds awesome!   :-D

Google Earth repo will be fix as well?

W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 3B068FB4789ABE4AEFA3BB491397BC53640DB551 uses weak digest algorithm (SHA1)
W: http://dl.google.com/linux/earth/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)
E: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/Release  No Hash entry in Release file /var/lib/apt/lists/partial/dl.google.com_linux_earth_deb_dists_stable_Release which is considered strong enough for security purposes

Everything except Earth should now be fixed. Earth is being handled separately, and will hopefully be refreshed soon.

It's fixed for me, finally!!

Thank you very much!! :D

Now, I see the following "Hash Sum mismatch":

The following packages will be upgraded:
  google-talkplugin
1 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
Need to get 7 800 kB of archives.
After this operation, 12,3 kB disk space will be freed.
Get:1 http://dl.google.com/linux/talkplugin/deb stable/main amd64 google-talkplugin amd64 5.41.3.0-1 [7 800 kB]
Err:1 http://dl.google.com/linux/talkplugin/deb stable/main amd64 google-talkplugin amd64 5.41.3.0-1
  Hash Sum mismatch
Fetched 7 800 kB in 3s (2 114 kB/s)              
E: Failed to fetch http://dl.google.com/linux/talkplugin/deb/pool/main/g/google-talkplugin/google-talkplugin_5.41.3.0-1_amd64.deb  Hash Sum mismatch

Me too:

 Hash Sum mismatch
  Hashes of expected file:
   - SHA1:0bbc3d6997ba22ce712d93e5bc336c894b54fc81
   - MD5Sum:03ea81590baa680d286d28533c4d40e1
  Hashes of received file:
   - SHA512:8802c1726c9b362db5302a8b2243c8d84c2b35b9ab55adacc08ed05a5fb98d2778c2ff516a5df13bcaa499ab9d902481957b119624467be69a2833e0b76ba218
   - SHA256:af7e23d2b6215afc547f96615b99f04e0561557cc58c0c9302364b5a3840d97d
   - SHA1:0bbc3d6997ba22ce712d93e5bc336c894b54fc81
   - MD5Sum:03ea81590baa680d286d28533c4d40e1
   - Checksum-FileSize:7800474
  Last modification reported: Wed, 15 Jun 2016 20:30:45 GMT
Fetched 79.5 MB in 23s (3,355 kB/s)                                            
E: Failed to fetch http://dl.google.com/linux/talkplugin/deb/pool/main/g/google-talkplugin/google-talkplugin_5.41.3.0-1_amd64.deb  Hash Sum mismatch
   Hashes of expected file:
    - SHA1:0bbc3d6997ba22ce712d93e5bc336c894b54fc81
    - MD5Sum:03ea81590baa680d286d28533c4d40e1
   Hashes of received file:
    - SHA512:8802c1726c9b362db5302a8b2243c8d84c2b35b9ab55adacc08ed05a5fb98d2778c2ff516a5df13bcaa499ab9d902481957b119624467be69a2833e0b76ba218
    - SHA256:af7e23d2b6215afc547f96615b99f04e0561557cc58c0c9302364b5a3840d97d
    - SHA1:0bbc3d6997ba22ce712d93e5bc336c894b54fc81
    - MD5Sum:03ea81590baa680d286d28533c4d40e1
    - Checksum-FileSize:7800474
   Last modification reported: Wed, 15 Jun 2016 20:30:45 GMT

As you can see from the output in #49 the Packages files is missing a SHA256 or SHA512 field itself as well.

I'm surprised anyone is still installing talkplugin these days, though.

It is needed to use Hangouts on Firefox unfortunately.

Can confirm on Ubuntu 16.04, the package itself is now broken, the reasons have been stated above.

N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://dl.google.com/linux/chrome-remote-desktop/deb stable InRelease' doesn't support architecture 'i386'

No problems with keys here (except for talk-plugin) but chrome-remote-desktop has no version for 32bit anymore, so it should not look for a repo on a 64bit system.

Repository checksum and signing issues should be fixed for all products now, though there may still be other issues (like Earth requiring lsb-core and ia32-libs, which is not available by default on xenial). Those other issues will have to be fixed by the respective products.

 Issue 607408  has been merged into this issue.

mmoss: The issue with Earth is rather that the repo still ships 6.something whereas the current 7.something has proper 64-bit versions - It would be great if the Earth people would ship up-to-date repositories, instead of new .deb files that install repos that only contain old earth versions (can you forward this?).

Yeah, they're aware the packages are quite out-of-date, and I think are already working on a new build, but no ETA yet. I'll pass it on.

I am having problems that seem to be inline with this issue, but mine are on a new install of linuxmint mate 17.1-64bit. I don't know how to post here so hope this is ok.

Pepperflash-install 222 bytes View Download