Debian Package Management Cheat Sheet

  • List version of an installed package: dpkg -s docker-ce | grep Version
  • Show all available versions of a package: apt-cache madison <package>

Packages being held back because of phasing

Run the following command replacing the package in question

apt-get --with-new-pkgs upgrade <package-name>

The following packages have been kept back

Try the following, in order. Each is less risky than the next. Stop as soon as you have fixed the problem.

Solution 1

apt-get --with-new-pkgs upgrade <list of packages kept back>

Solution 2

apt-get install <list of packages kept back>

Failed to fetch . . . Hash Sum mismatch

If you see an error similar to the following

Reading package lists... Done
E: Failed to fetch https://packages.cloud.google.com/apt/dists/cloud-sdk/main/binary-all/Packages  Hash Sum mismatch
   Hashes of expected file:
    - Filesize:1677314 [weak]
    - SHA256:09c3377dd2740e63c831dea4a86ccb1253ab6a41ec71eaa1cd4c7e52ee8c9255
    - MD5Sum:16ab83da58155f40c9a5a18a2a8c6587 [weak]
   Hashes of received file:
    - SHA256:ee6eabdfda398ab36e6fa8cd777d5d02b45dbac892dacdf6f1be1ca5ad0cbb65
    - MD5Sum:6dd0c5ac95bc55b7864e66986b71b8fa [weak]
    - Filesize:1677314 [weak]
   Last modification reported: Fri, 04 Apr 2025 01:54:07 +0000
   Release file created at: Tue, 01 Apr 2025 12:57:58 +0000
E: Failed to fetch https://packages.cloud.google.com/apt/dists/cloud-sdk/main/binary-amd64/Packages
E: Some index files failed to download. They have been ignored, or old ones used instead.

Try removing all of the apt list data

rm -rf /var/lib/apt/lists/* && apt-get update

[SOLVED] debsig-verify for Failed verification error, “signatures using the SHA1 algorithm are rejected” and “Can’t check signature: Invalid digest algorithm”

If you are using debsig-verify for the verification of a downloaded .deb file and are unable to verify it, run it with the -d option to get more information. If you see the following two lines

gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm

It is likely that the PGP signature used to sign the package uses the SHA1 algorithm which has been deprecated in most of the recent Linux distros. If you can generate another PGP key with a different algorithm. If you are a consumer of this deb package and cannot get the maintainer to update their public key you can add a gpg configuration that will enable gpg to use the PGP signature

echo "allow-weak-digest-algos" >> /etc/gnupg/gpg.conf

And then retry with debsig-verify.