I publish a Debian repository. It was signed with a 4096-bit GPG key, and has been merrily in use from Debian 7 and Debian 8 systems for some time. Recently, one of my users reported that Debian 9 was having problems with it. Specifically, apt-get update was yielding:

Reading package lists... Done
 W: GPG error: http://Debian-repository.JdeBP.info. stable InRelease: The following signatures were invalid: A71733F3CEBD655CB25A0DDCE1E3A497555CE68F
 W: The repository 'http://Debian-repository.JdeBP.info. stable InRelease' is not signed.

Note that unlike the people at "Repo APT secure - apt-get update GPG signature were invalid" and "Frustrated with aptly and GPG signing" I am not using aptly. So clearly I am not suffering from an aptly bug of any kind. (-:

So what is the problem?

The cause of the problem is that with no update to the Debian wiki or other similar doco, and pretty much only a couple of largely Ubuntu-related announcements on a non-Debian personal WWW site, support for keys that state a preference for SHA-1 encryption has been turned off in APT as of Debian 9. (Specifically, it was turned off in APT version 1.4~beta1, and Debian 9 has version 1.4.7.)

So a repository publisher needs to do two things:

• Adjust the personal-digest-preferences and personal-cipher-preferences in $HOME/.gnupg/gpg.conf to eliminate SHA-1 from one's GPG preferences. This prevents the problem coming back with new keys.


• Adjust the preferences that are contained in the current repository signing key to eliminate SHA-1 from there too. For that one needs to:
  
  
  • Run

    gpg --edit-key "$key_fingerprint"

    substituting the appropriate key fingerprint, then edit the key preferences with the pref and setpref commands, then save the key to the keyring.
  
  
  • Export the public key of the updated key from the keyring to a file.
  
  
  • Re-sign the repository with the modified signing key.
  
  
  • Publish the updated signing key's public key file.
  
  

Note that it is not necessary to generate a new signing key, and that the updated key with SHA-1 removed will continue to interoperate with the older Debian 8 APT.

Further reading

• Julian Andres Klode (2016-03-14). Dropping SHA-1 support in APT. juliank.wordpress.com.


• Julian Andres Klode (2016-03-15). Clarifications and updates on APT + SHA1. juliank.wordpress.com.

As JdeBP already pointed out, as of Debian 9 apt no longer supports SHA-1, meaning the InRelease file needs to be created with SHA-256 instead (the same goes for Release.pg).

What fixed it for me was specifying -digest-algo SHA256 as a parameter to gpg, so the complete sequence would be:

1. 
   

   Create the package:

   
   
   

   dpkg-deb --build $PACKAGE_NAME-1.0/
   sudo rm $SOME_TEMP_PATH/*
   mv $PACKAGE_NAME_name-1.0.deb $SOME_TEMP_PATH/
   dpkg-scanpackages $SOME_TEMP_PATH /dev/null | gzip -9c > $SOME_TEMP_PATH/Packages.gz
   sudo rm $PATH_TO_REPO_IN_WWW_SERVER/*
   sudo cp $SOME_TEMP_PATH/* $PATH_TO_REPO_IN_WWW_SERVER
   cd $PATH_TO_REPO_IN_WWW_SERVER
   

   
   


2. 
   

   Sign it:

   
   
   

   apt-ftparchive --md5 --sha256 release . > Release 
   gpg --digest-algo SHA256 --armor --output Release.gpg --detach-sign Release
   gpg --digest-algo SHA256 --clearsign --output InRelease Release
   

   
   

Signing could also be done from the temp folder and then copying to the web server folder the complete thing, or you might want to play around with paths, namely the "." used when calling apt-ftparchive, if you want to store your .debs in a separate tree.