[I don't have enough time at present to fully drive this from a
keyring-maint PoV, but without any hats on I thought I'd add a couple of
extra bits of information.]
On Fri, Mar 21, 2025 at 01:11:20AM +0100, Guillem Jover wrote:
On Thu, 2025-03-20 at 22:00:04 +0100, Christoph Biedl wrote:
Being one of those on the list, I'm even more confused than I'd be about
this anyway.
Ok, let me try to clarify, then!
So those people you listed:
* Did they something wrong (although certainly with best intentions)?
I don't think so, or at least if they did something explicitly,
probably not wrong at the time they did it.
No fault on the part of the user. Previous versions of GnuPG had
defaults whereby even if you generated a large RSA key, rather than a
1024 bit DSA key, it would use SHA-1 for UID + subkey binding
signatures. It took some explicit manual configuration before a key was
ever created to avoid this.
* Is this a problem if apparently everything went fine in the many past
years?
I think there's widespread agreement that using SHA-1 in a security
context is not wise at this point in time. The problem is that when
using GnuPG this is sometimes invisible unless asked for explicitly.
My understanding is that there aren't any known attacks against SHA-1
self-sigs in OpenPGP at present. Given the issues with SHA-1 migration
away from it makes sense, but it's Sequoia making a decision to treat
SHA-1 self-sigs as no longer valid, combined with dpkg's switch to
Sequoia, that's driving the issue here.
I note that the Sequoia lint checks are not available in bookworm, you
need to use the version in trixie/sid.
I'm happy to try to address anything that seems unclear, or get
someone else who might be able to answer! And as Holger suggested
elsewhere, we can probably also create a FAQ on the wiki with some of
this to point to people.
Thanks for doing this, Guillem.
J.
--
] https://www.earth.li/~noodles/ [] "f u cn rd ths, u cn gt a gd jb n [
] PGP/GPG Key @ the.earth.li [] cmptr prgrmmng." -- Simon Cozens, [
] via keyserver, web or email. [] ox.os.linux [
] RSA: 4096/0x94FA372B2DA8B985 [] [
