* Release signing key still uses SHA1
@ 2024-03-12 2:41 Marek Marczykowski-Górecki
0 siblings, 0 replies; 5+ messages in thread
From: Marek Marczykowski-Górecki @ 2024-03-12 2:41 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1: Type: text/plain, Size: 975 bytes --]
Hi,
The key used to sign release tarballs and git tags still uses SHA1 for
its self-signature. Is updated key somewhere already?
SHA1 is starting to be rejected by some tools already, for example
sequoia-sq:
$ sq inspect xen.pub
xen.pub: OpenPGP Certificate.
Fingerprint: 23E3222C145F4475FA8060A783FE14C957E82BD9
Invalid: No binding signature at time 2024-03-12T02:37:29Z
Public-key algo: RSA
Public-key size: 2048 bits
Creation time: 2010-04-06 13:55:33 UTC
UserID: Xen.org Xen tree code signing (signatures on the xen hypervisor and tools) <pgp@xen.org>
Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure
Certifications: 7, use --certifications to list
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Release signing key still uses SHA1
@ 2024-03-12 4:13 Marek Marczykowski-Górecki
2024-04-25 21:27 ` Daniel Kiper
0 siblings, 1 reply; 5+ messages in thread
From: Marek Marczykowski-Górecki @ 2024-03-12 4:13 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1.1: Type: text/plain, Size: 1529 bytes --]
Hi,
The key used to sign release tarballs and git tags still uses SHA1 for
its self-signature. Is updated key somewhere already?
SHA1 is starting to be rejected by some tools already, for example
sequoia-sq:
$ sq inspect grub-dkiper.pub
grub-dkiper.pub: OpenPGP Certificate.
Fingerprint: BE5C23209ACDDACEB20DB0A28C8189F1988C2166
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2017-02-05 03:43:32 UTC
Expiration time: 2028-02-14 00:05:49 UTC (creation time + 11years 8days 2h 22m 17s)
Key flags: certification, signing
Subkey: 1BE37633B1B7EA3E057CC384955D1898DC24BB87
Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance
because: SHA1 is not considered secure
Invalid: Policy rejected non-revocation signature (SubkeyBinding) requiring second pre-image resistance
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2017-02-05 03:43:32 UTC
UserID: Daniel Kiper <daniel.kiper@oracle.com>
UserID: Daniel Kiper <dkiper@net-space.pl>
Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure
Certifications: 95, use --certifications to list
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Release signing key still uses SHA1
2024-03-12 4:13 Marek Marczykowski-Górecki
@ 2024-04-25 21:27 ` Daniel Kiper
2024-04-25 22:13 ` Marek Marczykowski-Górecki
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Kiper @ 2024-04-25 21:27 UTC (permalink / raw)
To: Marek Marczykowski-Górecki; +Cc: grub-devel
[-- Attachment #1.1: Type: text/plain, Size: 417 bytes --]
Hey,
On Tue, Mar 12, 2024 at 05:13:24AM +0100, Marek Marczykowski-Górecki wrote:
> Hi,
>
> The key used to sign release tarballs and git tags still uses SHA1 for
> its self-signature. Is updated key somewhere already?
I have just updated it. You can find it at
https://keys.openpgp.org/vks/v1/by-fingerprint/BE5C23209ACDDACEB20DB0A28C8189F1988C2166
Please drop me a line it works or not...
Daniel
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Release signing key still uses SHA1
2024-04-25 21:27 ` Daniel Kiper
@ 2024-04-25 22:13 ` Marek Marczykowski-Górecki
2024-05-08 16:44 ` Daniel Kiper
0 siblings, 1 reply; 5+ messages in thread
From: Marek Marczykowski-Górecki @ 2024-04-25 22:13 UTC (permalink / raw)
To: Daniel Kiper; +Cc: grub-devel
[-- Attachment #1.1: Type: text/plain, Size: 597 bytes --]
On Thu, Apr 25, 2024 at 11:27:53PM +0200, Daniel Kiper wrote:
> Hey,
>
> On Tue, Mar 12, 2024 at 05:13:24AM +0100, Marek Marczykowski-Górecki wrote:
> > Hi,
> >
> > The key used to sign release tarballs and git tags still uses SHA1 for
> > its self-signature. Is updated key somewhere already?
>
> I have just updated it. You can find it at
> https://keys.openpgp.org/vks/v1/by-fingerprint/BE5C23209ACDDACEB20DB0A28C8189F1988C2166
>
> Please drop me a line it works or not...
Thanks, looks good now :)
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Release signing key still uses SHA1
2024-04-25 22:13 ` Marek Marczykowski-Górecki
@ 2024-05-08 16:44 ` Daniel Kiper
0 siblings, 0 replies; 5+ messages in thread
From: Daniel Kiper @ 2024-05-08 16:44 UTC (permalink / raw)
To: Marek Marczykowski-Górecki; +Cc: grub-devel
On Fri, Apr 26, 2024 at 12:13:21AM +0200, Marek Marczykowski-Górecki wrote:
> On Thu, Apr 25, 2024 at 11:27:53PM +0200, Daniel Kiper wrote:
> > Hey,
> >
> > On Tue, Mar 12, 2024 at 05:13:24AM +0100, Marek Marczykowski-Górecki wrote:
> > > Hi,
> > >
> > > The key used to sign release tarballs and git tags still uses SHA1 for
> > > its self-signature. Is updated key somewhere already?
> >
> > I have just updated it. You can find it at
> > https://keys.openpgp.org/vks/v1/by-fingerprint/BE5C23209ACDDACEB20DB0A28C8189F1988C2166
> >
> > Please drop me a line it works or not...
>
> Thanks, looks good now :)
Great! Thanks!
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-05-08 16:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-12 2:41 Release signing key still uses SHA1 Marek Marczykowski-Górecki
-- strict thread matches above, loose matches on Subject: below --
2024-03-12 4:13 Marek Marczykowski-Górecki
2024-04-25 21:27 ` Daniel Kiper
2024-04-25 22:13 ` Marek Marczykowski-Górecki
2024-05-08 16:44 ` Daniel Kiper
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.