Original Poster
Michael D. (DE)

Ubuntu 16.04-APT displays warning because Google Repository is still using SHA-1

APT for Debian / Ubuntu is now displaying a warning if a PPA / Repository is still using the deprecated SHA-1. It seems that the the google repository is still using SHA-1

#sudo apt-get update
W: http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg: Signature by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 uses weak digest algorithm (SHA1)

@Google-Security Team
When you are treating SHA-1 certificates as unsecure in your browser, you may want to change your own SHA-1 signature key for your linux deb packets.
Community content may not be verified or up-to-date. Learn more.
Recommended Answer
Was this answer helpful?
How can we improve it?
All Replies (40)
Hi Michael,

The issue is already known and can you can follow its progress by starring the related bug:  crbug.com/596074
You are the first Ubuntu user which indicates this issue, so I guess 16.04 also contains the version with the warning. (Previously only Debian users)

Jürgen Schnake
Jürgen Schnake
Just to not let Michael be the only one to report it: Yes, indeed Ubuntu 16.04 reports this regularly. Would be nice if you guys could fix it :-) Thanks in advance!
Achim Behrens
Achim Behrens
i already filed a bug about that in march while testing 16.04. Google told me to change the keys with the next release of chrome for the chrome (and google music manager) repo. which they didnt. 

Ahmad Darwiche
Ahmad Darwiche

I'd like to join Michael & Jurgen, I've the same warning too, I tried to remove Chrome & install it again, but same problem.

Rakshith Ravi
Rakshith Ravi
I can confirm the warning in my 16.04 system too
Hi all,

it looks like crbug.com/596074 is fixed and the encryption has been upgraded.

However some local caching is giving new warnings: Failed to fetch http://dl.google.com/linux/earth/deb/dists/stable/main/binary-amd64/Packages  Hash Sum mismatch

These can be fixed by running following commands (you can replace aptitude by apt-get if you like) on Debian, Ubuntu and derivatives. I don't have instructions for RedHat-based distros.
  • sudo rm -rf /var/lib/apt/lists/*
  • sudo aptitude clean
  • sudo aptitude update
  • sudo aptitude upgrade
(Tnx to PeterJB for sharing)

This question is locked and replying has been disabled. Still have questions? Ask the Help Community.


Some community members might have badges that indicate their identity or level of participation in a community.

Expert - Google Employee — Googler guides and community managers
Expert - Community Specialist — Google partners who share their expertise
Expert - Gold — Trusted members who are knowledgeable and active contributors
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.


Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.