Building a Gerrit docker-image on Ubuntu 18:04-basis

I ran into a small problem trying to create a custom Gerrit docker image.

Gerrit offers a wonderful deb-repository of their releases and even an official docker image. The official docker image is based on Ubuntu 16.04, which is perfectly fine (it’s an LTS-release), but for reasons irrelevant for this blogpost, I wanted to create a custom image based on Ubuntu 18.04. I ran into the following problem during the apt-get update step after adding the relevant key and repository:

W: GPG error: gerrit Release: The following signatures were invalid: F0E24DA66FFAA737081E5A7E1FFFAA5E1871F775
E: The repository 'mirror:// gerrit Release' is not signed.
The command '/bin/sh -c apt-get update' returned a non-zero code: 100

The root cause is that Gerrit signs it’s repository using the SHA1-digest, which was declared untrustworthy in Ubuntu 18.04 (it was declared weak in Ubuntu 16.04).

If you want to re-enable SHA1 (which is a move that potentially weakens your security!), you can add the following line to your dockerfile. It re-classifies SHA1 from untrusted to weak.

RUN echo "APT::Hashes::SHA1::Weak "yes";">/etc/apt/apt.conf.d/23allowsha1

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.