Package: lintian Version: 2.104.0 Control: clone -1 -2 Control: reassign -2 devscripts Control: retitle -2 [uscan] deprecate upstream signatures made using weak hashes like MD5, SHA1, or RIPEMD160
Some upstream packages are signed with OpenPGP using old, deprecated digest algorithms. See for example xml2rfc having a recent signature made with SHA-1: https://mailarchive.ietf.org/arch/msg/xml2rfc-dev/G89V9M7_qSGxDVBb0QpSIqzznVc/ If lintian is scanning a package that includes a cryptographic signature from upstream, it should warn (or produce an error) if that signature uses a weak cryptographic digest algorithm. In particular, MD5, SHA1, and RIPEMD160 should all be considered weak. likewise, uscan should provide at least a warning (perhaps an error) if it fetches an OpenPGP signature that appears to be made using a weak digest. For both of these cases (uscan and lintian), I say "warn" by default instead of "error" because of course a package with a weak signature shouldn't be treated worse than a package with *no* signature. Some OpenPGP implementations (like "sqop verify" or "sq verify", both from sequoia) already deprecate recently-made SHA1 signatures. If you're using gpgv to verify signatures, you can use the --weak-digest argument, like so: $ gpgv --weak-digest RIPEMD160 --weak-digest SHA1 --keyring debian/upstream/signing-key.pgp ../xml2rfc_3.5.0.orig.tar.gz.asc ../xml2rfc_3.5.0.orig.tar.gz gpgv: Signature made Wed 18 Nov 2020 05:20:56 AM EST gpgv: using RSA key 4E9B574B8FBB171A gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Invalid digest algorithm 2 $ (MD5 is already marked as a "weak digest" by default, so no need to include it specifically) Thanks for considering this! --dkg
signature.asc
Description: PGP signature
