Ubuntu – How to fix apt: Signature by key uses weak digest algorithm (SHA1)


I started setting up by adding repositories and then went to run a sudo apt-get update again before I started installing other software, and I get the Signature key lines and it stops. So it essentially won't let me update any packages now.

d@EliteBook:~/Downloads$ sudo apt-get update
Ign:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://dl.google.com/linux/chrome/deb stable Release                     
Hit:4 http://security.ubuntu.com/ubuntu xenial-security InRelease              
Get:5 http://ca.archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Hit:6 http://ca.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://ca.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 247 kB in 0s (256 kB/s)                   
Reading package lists... Done
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by 
key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

I've never seen this before whenever I setup and start installing things in Ubuntu. Is there something else I can do?

Best Answer

  • The problem with the Google source is on Google's end, but apt-get is just reporting the issue as a warning. This issue does not stop you from upgrading packages.

    You are using apt-get and what you are seeing is the normal behavior after running update: it performs the update but does not provide additional information.

    You need to follow sudo apt-get update with sudo apt-get upgrade to see if any package upgrades are available.

    The newer sudo apt update (notice it's just apt) does provide feedback about the results.

    By using apt, you will either see a message that

    All packages are up to date


    The following packages will be upgraded:

    Also see apt list --upgradeable.