FS#50482 - [lsof] pkgbuild, add the fingerprint

Attached to Project: Arch Linux
Opened by . (flysprayer) - Monday, 22 August 2016, 14:15 GMT
Last edited by Anatol Pomozov (anatolik) - Tuesday, 30 August 2016, 00:06 GMT
Task Type Feature Request
Category Security
Status Closed
Assigned To Anatol Pomozov (anatolik)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No
This task depends upon

Closed by  Anatol Pomozov (anatolik)
Tuesday, 30 August 2016, 00:06 GMT
Reason for closing:  Upstream
Additional comments about closing:  Upstream should start using a modern encryption algorithm.
Comment by Doug Newgard (Scimmia) - Monday, 22 August 2016, 23:19 GMT Comment by . (flysprayer) - Monday, 29 August 2016, 21:07 GMT
https://www.gnupg.org/faq/whats-new-in-2.1.html#nopgp2

"Removal of PGP-2 support

Some algorithms and parts of the protocols as used by the 20 years old PGP-2 software are meanwhile considered unsafe. In particular the baked in use of the MD5 hash algorithm limits the security of PGP-2 keys to non-acceptable rate. Technically those PGP-2 keys are called version 3 keys (v3) and are easily identified by a shorter fingerprint which is commonly presented as 16 separate double hex digits.

With GnuPG 2.1 all support for those keys has gone. If they are in an existing keyring they will eventually be removed. If GnuPG encounters such a key on import it will not be imported due to the not anymore implemented v3 key format. Removing the v3 key support also reduces complexity of the code and is thus better than to keep on handling them with a specific error message.

There is one use case where PGP-2 keys may still be required: For existing encrypted data. We suggest to keep a version of GnuPG 1.4 around which still has support for these keys (it might be required to use the --allow-weak-digest-algos option). A better solution is to re-encrypt the data using a modern key."

the package maintainer must use the latest GnuPG classic release to verify it and then use sha512sums to future-proof it.
Comment by Doug Newgard (Scimmia) - Monday, 29 August 2016, 23:27 GMT
Sounds like a "Won't Implement" to me.

Loading...