SHA-1 deprecation deadline is set for January 1, 2017

Nov 24, 2016 04:57 GMT  ·  By

Today, November 24, 2016, Debian developer and Ubuntu member Julian Andres Klode announced that he plans on turning off SHA1 support for APT repositories starting January 1, 2017.

As you might know, or not, the long-awaited deprecation of the SHA-1 (Secure Hash Algorithm 1) encryption, which is used to verify digital content, CRLs (certificate revocation lists), and digital certificates, is set for the first day of January 2017 worldwide, which might affect your Internet browser.

But the SHA-1 encryption is also used to sign the APT (Advanced Package Tool) repositories of Debian-based operating systems, including the popular Ubuntu and Linux Mint, and it looks like these SHA-1-signed repos will be automatically rejected by APT in Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 16.10 (Yakkety Yak).

"We already turned this off for fields inside the (meta) index files, this step now involves rejecting SHA1-based GPG signatures as well," explains Julian Andres Klode in the mailing list announcement. "Now, we need to do this a bit earlier in our development releases."

APT 1.4 Beta 1 to land for Ubuntu 17.04 (Zesty Zapus) in the coming days

Before any of that gets started, though, there's a lot of work to be done, and the Ubuntu developers will start by landing the first Beta development release of the upcoming APT 1.4 milestone in the Ubuntu 17.04 (Zesty Zapus) repositories, rejecting SHA-1-signed repos by default or at least implementing some sort of a warning.

Once that works as expected in Ubuntu 17.04 unstable, the same thing will be implemented for the APT 1.2 and APT 1.3 in Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 16.10 (Yakkety Yak), respectively. Work on this will start in the next few days, but there's a chance for the Ubuntu 16.04 LTS implementation to get a slight delay. Same thing is expected to happen in Debian as well.