{"id":46181,"date":"2024-04-15T07:04:00","date_gmt":"2024-04-15T07:04:00","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=46181"},"modified":"2025-04-16T01:37:31","modified_gmt":"2025-04-16T01:37:31","slug":"workaround-apt-warning-signature-key-uses-weak-algorithm","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/04\/workaround-apt-warning-signature-key-uses-weak-algorithm\/","title":{"rendered":"[Workaround] Apt Warning: Signature Key Uses Weak Algorithm"},"content":{"rendered":"<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-37909\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo-250x250.webp\" alt=\"\" width=\"250\" height=\"250\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo-250x250.webp 250w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo-300x300.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo-600x600.webp 600w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo-768x768.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/03\/terminal-logo.webp 1200w\" sizes=\"auto, (max-width: 250px) 100vw, 250px\" \/><\/a><\/p>\n<p><b>Got weak signature key warning in apt command output? Here&#8217;s why, and how to get rid of it in Ubuntu 24.04.<\/b><\/p>\n<p>After adding PPAs or third-party source repositories in Ubuntu 24.04, you may get following similar warning in apt command (usually <code>apt update<\/code>) output:<\/p>\n<blockquote><p><em>W: https:\/\/ppa.launchpadcontent.net\/mozillateam\/ppa\/ubuntu\/dists\/noble\/InRelease: Signature by key 0AB215679C571D1C8325275B9BDB3D89CE49EC21 uses weak algorithm (rsa1024)<\/em><\/p><\/blockquote>\n<p>The warning may also happen in Debian and its based systems with apt package manager 2.7.13 or higher.<\/p>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-46182\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning-700x415.webp\" alt=\"\" width=\"610\" height=\"362\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning-700x415.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning-300x178.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning-768x455.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weak-key-warning.webp 822w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p><!--more--><\/p>\n<p>Due to crypto policy update, apt now (since v2.7.13, see the <a href=\"https:\/\/salsa.debian.org\/apt-team\/apt\/-\/commit\/50e3fee26ae843a812b1c9ec8531946931773fd3\" target=\"_blank\" rel=\"noopener\">commit<\/a>) requires repositories to be signed using one of the following public key algorithms:<\/p>\n<ul>\n<li><b>RSA with at least 2048-bit keys<\/b><\/li>\n<li><b>Ed25519<\/b><\/li>\n<li><b>Ed448<\/b><\/li>\n<\/ul>\n<p>The 1024-bit RSA keys, that are in use for launchpad PPA at the moment of writing, as well as DSA keys (not possible to use anymore), and ECC keys (NIST P-{256,384,521}, Brainpool P-{256,384,512}, secp256k1) are widely considered UNSAFE.<\/p>\n<p>Ubuntu 24.04 includes apt 2.7.14 with policy update (see the <a href=\"https:\/\/discourse.ubuntu.com\/t\/new-requirements-for-apt-repository-signing-in-24-04\/42854\" target=\"_blank\" rel=\"noopener\">discourse page<\/a>). The UNSAFE keys are still working so far, but you&#8217;ll see the warning as mentioned above.<\/p>\n<p><b>For Ubuntu PPAs (host on launchpad.net), no action is needed!<\/b> Ubuntu Team will upgrade the keys to 4096-bit RSA.<\/p>\n<blockquote><p><i>PPAs are currently in the process of being upgraded to a 4096-bit RSA key and we expect that upgrade to be complete by release time. No action is needed (or possible) from PPA owners.<\/i><\/p>\n<p>If you are currently using 24.04 before it is released, you will need to refresh the PPA signing keys when the warning becomes an error. We plan to provide easy functionality in add-apt-repository to do so, such that you do not need to remove and re-add the PPAs.<\/p><\/blockquote>\n<h3>How to Override the Policy Change<\/h3>\n<p>So, if you can&#8217;t wait for maintainers to upgrade the keys or you just trust the current keys, then you can add a rule to get rid of the warning.<\/p>\n<p><b>1.<\/b> First, press <code>Ctrl+Alt+T<\/code> to open up a terminal window. When it opens, run command to create a config file for apt:<\/p>\n<pre>sudo nano \/etc\/apt\/apt.conf.d\/99weakkey-warning<\/pre>\n<p>Here I use <code>nano<\/code> command line text editor works in most desktops, you can replace it with <code>gnome-text-editor<\/code> for 24.04 with default GNOME, or other editor depends on your desktop environment. And, you may replace file-name <code>99weakkey-warning<\/code> to whatever that you want.<\/p>\n<p><b>2.<\/b> When file opens, add the line below and <u>change (or add) the value according to your need<\/u>:<\/p>\n<p><b>APT::Key::Assert-Pubkey-Algo &#8220;&gt;=rsa1024,ed25519,ed448&#8221;;<\/b><\/p>\n<p>The default key algorithms are &#8220;<code>&gt;=rsa2048,ed25519,ed448<\/code>&#8220;. In my case (see the screenshot above), the warned key uses &#8220;<code>rsa1024<\/code>&#8220;. So, I replace the value <code>&gt;=rsa2048<\/code> with <code>&gt;=rsa1024<\/code>.<\/p>\n<p>For example, if you want to allow <code>secp256k1<\/code> (run <code>sudo apt update<\/code> to get the key algorithm in warning), then replace that line with:<\/p>\n<pre>APT::Key::Assert-Pubkey-Algo \"&gt;=rsa2048,ed25519,ed448,secp256k1\";<\/pre>\n<p>Or, just leave it blank so all the key algorithm trusted by GnuPG should be allowed, so it will be:<\/p>\n<pre>APT::Key::Assert-Pubkey-Algo \"\";<\/pre>\n<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weakkey.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-48684\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weakkey-700x528.webp\" alt=\"\" width=\"610\" height=\"460\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weakkey-700x528.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weakkey-300x226.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/apt-weakkey.webp 706w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p>After editing, press Ctrl+S to save file, and Ctrl+X to exit. And, run <code>sudo apt update<\/code> command to verify the change.<\/p>\n<h3>How to Restore<\/h3>\n<p>To restore the change, simply delete the config file that you created, by running command in terminal (Ctrl+Alt+T):<\/p>\n<pre>sudo rm \/etc\/apt\/apt.conf.d\/99weakkey-warning<\/pre>\n<p>Finally, run <code>sudo apt update<\/code> to refresh system package cache.<\/p>","protected":false},"excerpt":{"rendered":"<p>Got weak signature key warning in apt command output? Here&#8217;s why, and how to get rid of it in Ubuntu 24.04. After adding PPAs or third-party source repositories in Ubuntu 24.04, you may get following similar warning in apt command (usually apt update) output: W: https:\/\/ppa.launchpadcontent.net\/mozillateam\/ppa\/ubuntu\/dists\/noble\/InRelease: Signature by key 0AB215679C571D1C8325275B9BDB3D89CE49EC21 uses weak algorithm (rsa1024) The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":37909,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[2022],"class_list":["post-46181","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-apt"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=46181"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46181\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/37909"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=46181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=46181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=46181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}