That thing you saw when you upgraded apt and SHA1 hashes stopped working


When you upgrade to apt 1.4, you see a message about certain hashes being disabled now. Remember what it was? If not, here it is:

apt (1.4~beta1) unstable; urgency=medium

  Support for GPG signatures using the SHA1 or RIPE-MD/160 hash
  algorithms has been disabled. Repositories using Release files
  signed in such a way will stop working. This change has been made
  due to security considerations, especially with regards to possible
  further breakthroughs in SHA1 breaking during the lifetime
  of this APT release series.

  It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
  behaviour by setting the options
    APT::Hashes::SHA1::Weak "yes";
    APT::Hashes::RIPE-MD/160::Weak "yes";
  Note that setting these options only affects the verification of the overall
  repository signature.

 -- Julian Andres Klode <>  Fri, 25 Nov 2016 13:19:32 +0100

That’s how you get your darn repos signed with SHA1 to work again. For future reference, this was in /usr/share/doc/apt/NEWS.Debian.gz. Now all I have to do is go back in time and publish this so that past me wouldn’t have spent all day trying to remember what that workaround was.

My last post was about either Merits of a faucet that can’t wash itself or Potluck. Find out which.