[LinuxCNC/linuxcnc Issue#215] Release.gpg with SHA1 in debian repo is untrusted since apt 1.4

Since Version 1.4 of apt (currently in sid), SHA1 hashes in debian repos are unsupported:
“
apt (1.4~beta1) unstable; urgency=medium

Support for GPG signatures using the SHA1 or RIPE-MD/160 hash
algorithms has been disabled. Repositories using Release files
signed in such a way will stop working. This change has been made
due to security considerations, especially with regards to possible
further breakthroughs in SHA1 breaking during the lifetime
of this APT release series.

It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
behaviour by setting the options
APT::Hashes::SHA1::Weak "yes";
APT::Hashes::RIPE-MD/160::Weak "yes";
Note that setting these options only affects the verification of the overall
repository signature.

-- Julian Andres Klode Fri, 25 Nov 2016 13:19:32 +0100
`
and updating from the linuxcnc debian repo lead to the following error:

`
$ apt update
[...]
Err:14 http://linuxcnc.org jessie Release.gpg
The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
[...]
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://linuxcnc.org jessie Release: The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
W: Failed to fetch http://linuxcnc.org/dists/jessie/Release.gpg The following signatures were invalid: EEDD0D29F81DCAA0D258661F3CB9FD148F374FEF
W: Some index files failed to download. They have been ignored, or old ones used instead.

“

The Release.gpg file should be signed using some stronger hash than SHA1.

I think (but I’m not entirely sure) that this should help: https://debian-administration.org/users/dkg/weblog/48 e.g. setting the default digest of your repo key to something else.