Comment 8 for bug 1553121

Hi all,

first thanks to ~juliank, this lead me to an workaround for this in my case.

In our case netboot install failed with a "no suitable kernel found with your apt settings" (message text written down from memory), when our internal software repository was included to bootstrap our deployment environment.

Switching from the ncurses-installer to a shell showed up, that /target/etc/apt/sources.list contains only a invalid placeholder for the main repository, when this error occurs. From my memory this was xenial.invalid but might also have been debootstrap.invalid.

Replacing the signing key by one with SHA-2-256 solved this, then I stumbled into Bug #1512347 which was already mentioned above.
That IMHO means Bug #1553121 is definitely a SHA-1 issue. Because first I missed the lines
| personal-digest-preferences SHA256
| cert-digest-algo SHA256
| default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
in ~/.gnupg/gpg.conf (on a Machine with Ubuntu 12.04 LTS (precise)) and created key signed with SHA-1 again (as visible with pgpdump).
With this mistake the error still occurs. ;-)

As far as I know ~anders-kaseorg should be right in Bug #1556666. The keys are statically imported to the trusted-Keychain. The SHA-1 o signature isn't used for any verification in any apt mechanisms I know. For this reason the warning in the output of apt-get update should be more than enough.

IMHO this should at least be catched with a propper error message.

I didn't find the lines causing this, yet. The gpgv calls in the debootstrap Package file functions should work, at least from the output on a fully installed xenial system. Another place doing similar stuff I haven't found.

The SHA1 warnings/errors also affects the repositories on http://downloads.linux.hp.com, but they don't offically support Ubuntu 16.4 LTS (xenial), yet.

Kind regards
    Lars