If you are using debsig-verify
for the verification of a downloaded .deb
file and are unable to verify it, run it with the -d
option to get more information. If you see the following two lines
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
It is likely that the PGP signature used to sign the package uses the SHA1 algorithm which has been deprecated in most of the recent Linux distros. If you can generate another PGP key with a different algorithm. If you are a consumer of this deb package and cannot get the maintainer to update their public key you can add a gpg configuration that will enable gpg to use the PGP signature
echo "allow-weak-digest-algos" >> /etc/gnupg/gpg.conf
And then retry with debsig-verify
.