Signature by key B60A3EC9BC013B9C23790EC8B31B29E5548C16BF uses weak algorithm (dsa1024)

[tbjornli]

I'm sorry for filing this as an issue on the newrelic-php-agent repository, but I could not not find a way to report it via the New Relic website.

The New Relic GPG key is using a weak algorithm and Debian based systems like Ubuntu 24.04 are now displaying a warning when using apt.

W: http://apt.newrelic.com/debian/dists/newrelic/Release.gpg: Signature by key 60A3EC9BC013B9C23790EC8B31B29E5548C16BF uses weak algorithm (dsa1024)

I looked around and I was unable to find another, stronger, gpg key.

My hopes are that someone from the New Relic team sees this and can forward the information to the proper department or someone with access to the support system can file a ticket.

[workato-integration]

https://new-relic.atlassian.net/browse/NR-325850

[davidsayre]

I'm unable to install the newrelic agnet becuase of the weak key. please advise

[wiebeytec]

We're also getting daily e-mail about this because apt throws the warning.

Additionally, it seems the New Relic installer uses the old way of installing GPG keys: by loading them into the global keystore, instead of using signed-by in the apt source. This is less secure, is deprecated, and also logs warnings.