On Sun, 2023-01-15 at 11:45:20 +0100, Ansgar wrote: > Package: dpkg > Version: 1.21.13 > Severity: serious > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
> dpkg 1.21.13 introduced passing "--openpgp" to GnuPG by default […]. This > causes GnuPG to use insecure cryptographic algorithms like the SHA-1 > digest algorithm by default. > I do not think that cryptographic default from over 15 years ago are > a good default choice today; rather they are a security issue (just > like, for example, reverting to using SSL3 instead of TLS1.3). Downgrading secure defaults was certainly not the intention… At the time I checked the gnupg code, and (AFAIR) tested whether the option was producing secure signatures, and even brought this up on the #sequoia IRC channel. At the same time I also created a patch to restore secure digest defaults: https://git.hadrons.org/git/debian/dpkg/dpkg.git/commit/?h=next/gnupg-secure-algos but I cannot recall whether my testing was botched somewhere and deemed the change unnecessary, or I lost track of that commit while preparing those changes/release. (Should probably also report to gnupg that it does then not seem to respect the key preferences.) In any case, I've reworked that a bit and will include it for 1.21.19. Guillem
