Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#68392 - [archlinux-keyring] 3 of the 5 master keys rely on SHA1
Attached to Project:
Arch Linux
Opened by ilf (ilf) - Friday, 23 October 2020, 13:06 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 02 June 2021, 19:04 GMT
Opened by ilf (ilf) - Friday, 23 October 2020, 13:06 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 02 June 2021, 19:04 GMT
|
DetailsSHA-1 is a Shambles: https://sha-mbles.github.io/
3 of the 5 master keys rely on SHA1: https://gitlab.com/sequoia-pgp/sequoia/-/issues/595#note_434331334 |
This task depends upon
And those keys do not have any actual security issues as noted in your link...
See these discussions for more details and background:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/595
https://mailarchive.ietf.org/arch/msg/openpgp/Rp-inhYKT8A9H5E34iLTrc9I0gc/
I guess we can do a better job of handing out better defaults for packager GnuPG keys.
This has to be done by the individual owners of the private keys in question, so it's probably up to them to chose the right path.
Will this issue naturally resolve itself if the master keys get an updated self-sig using some future version of gnupg?
gpg --expert --cert-digest-algo SHA256 --sign-key $YourKeyId
https://mailarchive.ietf.org/arch/msg/openpgp/-SZkhrDYieWaz32aIW9ElAEDjM8/
https://gitlab.com/sequoia-pgp/keyring-linter
https://crates.io/crates/sequoia-keyring-linter