Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).

url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Summary[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Summary Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Summary|Summary]]
Copy as Wikitext Click = Copy Copied to clipboard! [Summary](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Summary)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Summary](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Summary)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Summary]Summary[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

As per 14 March 2021,

Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
Repository download happens over plain http without encryption/authentication (TLS) (https).

Source[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Source Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Source|Source]]
Copy as Wikitext Click = Copy Copied to clipboard! [Source](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Source)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Source](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Source)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Source]Source[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Signing Key[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Signing_Key Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Signing_Key|Signing Key]]
Copy as Wikitext Click = Copy Copied to clipboard! [Signing Key](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Signing_Key)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Signing Key](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Signing_Key)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Signing_Key]Signing Key[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

As per 14 March 2021, Google wants you to run the following command. (archived)

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian ^[1] but that doesn't have a security impact here.

1) Download https://dl.google.com/linux/linux_signing_key.pub

2) View OpenPGP key information.

Click = Copy Copied to clipboard! gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

3) Will show.

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quote:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.

Repository[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Repository Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Repository|Repository]]
Copy as Wikitext Click = Copy Copied to clipboard! [Repository](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Repository)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Repository](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Repository)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Repository]Repository[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb (archived google-chrome-stable_current_amd64.deb)

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is:

REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

https://github.com/brave/brave-browser/issues/1084

Bug Reports[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Bug_Reports Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Bug_Reports|Bug Reports]]
Copy as Wikitext Click = Copy Copied to clipboard! [Bug Reports](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Bug_Reports)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Bug Reports](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Bug_Reports)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Bug_Reports]Bug Reports[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Related[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Related Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Related|Related]]
Copy as Wikitext Click = Copy Copied to clipboard! [Related](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Related)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Related](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Related)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Related]Related[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Footnotes[edit] Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Footnotes Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Google_Chrome_Repository_Insecurity#Footnotes|Footnotes]]
Copy as Wikitext Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Footnotes)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Footnotes)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Google_Chrome_Repository_Insecurity#Footnotes]Footnotes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

↑ Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

[1] Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

[1]

Google Chrome Repository Insecurity

Contents

Navigation menu

Google Chrome Repository Insecurity

Navigation menu

Search

Disable server cache for this browser

Debug vis URL