I ran into a small problem trying to create a custom Gerrit docker image.
Gerrit offers a wonderful deb-repository of their releases and even an official docker image. The official docker image is based on Ubuntu 16.04, which is perfectly fine (it’s an LTS-release), but for reasons irrelevant for this blogpost, I wanted to create a custom image based on Ubuntu 18.04. I ran into the following problem during the apt-get update step after adding the relevant key and repository:
W: GPG error: http://deb.gerritforge.com gerrit Release: The following signatures were invalid: F0E24DA66FFAA737081E5A7E1FFFAA5E1871F775
E: The repository 'mirror://mirrorlist.gerritforge.com/deb gerrit Release' is not signed.
The command '/bin/sh -c apt-get update' returned a non-zero code: 100
The root cause is that Gerrit signs it’s repository using the SHA1-digest, which was declared untrustworthy in Ubuntu 18.04 (it was declared weak in Ubuntu 16.04).
If you want to re-enable SHA1 (which is a move that potentially weakens your security!), you can add the following line to your dockerfile. It re-classifies SHA1 from untrusted to weak.
RUN echo "APT::Hashes::SHA1::Weak "yes";">/etc/apt/apt.conf.d/23allowsha1