Hi,
For a while now any time I’ve updated apt on the machines (ubuntu 16.04) that I support (for the company I’m at) the warning
> W: (url removed so that discourse doesn’t block this post for having more than two urls in it): Signature by key E35979B896E997256457C632F57D4F59BD3DF454 uses weak digest algorithm (SHA1)
has been shown by apt. We have just started testing ubuntu 18.04 and are finding that setting up the apt repo results in
> W: GPG error: https://download.sublimetext.com apt/stable/ Release: The following signatures were invalid: E35979B896E997256457C632F57D4F59BD3DF454E: The repository 'https://download.sublimetext.com apt/stab
From what I’ve researched on the matter the 18.04 issues is that apt 1.4beta1+ (https://salsa.debian.org/apt-team/apt/commit/33d7a8d672c8c720947e81158de4a5a07be05b72) disabled SHA1 support further. Resulting in the repo SHA1 key moving from just being warned about to defaulting to be an error. While we can setup apt.conf to have SHA1 re-enabled (against the strong recommendation not to of the apt authors), we’d rather not have to make changes like that in order to use the sublime text repo.
Given that the continued use of a SHA1 hash on the apt repo is going to cause user problems or at-least warnings on an ongoing basis. Can we please get the hash updated to a more modern one that is supported by current apt versions? I don’t know the exact software you are using for your apt repo but it if it’s anything like the apt-mirror setup my company uses internally, changing off SHA1 should mainly be matter of changing the gpg preference options for the account to prefer stronger keys types.
Thanks