From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9BC96C54E58 for ; Tue, 12 Mar 2024 04:14:07 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rjtW9-0006Fv-EZ; Tue, 12 Mar 2024 00:13:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjtW7-0006Fj-8r for grub-devel@gnu.org; Tue, 12 Mar 2024 00:13:31 -0400 Received: from wfhigh4-smtp.messagingengine.com ([64.147.123.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rjtW5-0000od-OI for grub-devel@gnu.org; Tue, 12 Mar 2024 00:13:31 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailfhigh.west.internal (Postfix) with ESMTP id 65C0B180007C for ; Tue, 12 Mar 2024 00:13:28 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 12 Mar 2024 00:13:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm1; t=1710216807; x=1710303207; bh=YEn0WZSaTO Ztb3t/A36M0+NhvOu2ovbQn22zBRl+9po=; b=naywR8ZddvqTP30iek6uHHlYv9 npBKbvJzRObEuX+oGr6nvulpffzuBPDd0rguuKq9IW2nq+9VT63GIbxXV60uaMcu usq+ugwMqt6USqhAmd9EDcBT75p+6uX+whH99YTWI2zQqU0XkzzBlopoAL488aFe H2s04c23DOwW60MnWyRwnI6tFn1Gc53xhZJ+X4qFtIYU5sk9iyICTzHjn67Fe2NI gUpqxDKGtwP+5ar2yQfgANu/DkPg8d2FDhkn/ytTxH85LaxUfm/COWj+LvMwXP2Y dA2JdSDwVr0DichnthgNPQceNc7+2zwpvjLi3SQStoed4JskarMx1BjanMZg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1710216807; x=1710303207; bh=YEn0WZSaTOZtb3t/A36M0+NhvOu2ovbQn22 zBRl+9po=; b=his3f8YT+s6YgOZScUTD3V99d02XnV6F2XQ22QarkvmYeFnEL1w F3Mk+gthJBg/qy6P6BPZNss+lSwkQivfxIPqcbYd2XA/EGBpIPTNl3OtGlIUV8P3 CZZjgSsiJONnnzlP0sjazfgqArIepO/JRyalx2vHWGBCsT3NmoNwftTEL0Hj8o1+ KobDiz8GEfdkoszAOTWf3h9Bv6Pvf19D/hp93YTgZuU7PH7wwj8ecM10CM4Cqb5o xo9B8qwTKqtIR203mNBSxuttVTQ6yq0GFiT1HF38DhoRrJopl2n846vz2VB6DsZy vd9H2+11QUdofDy4RqgD/2rwJfZDYn8fWbg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrjedvgdejtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd ejnecuhfhrohhmpeforghrvghkucforghrtgiihihkohifshhkihdqifpkrhgvtghkihcu oehmrghrmhgrrhgvkhesihhnvhhishhisghlvghthhhinhhgshhlrggsrdgtohhmqeenuc ggtffrrghtthgvrhhnpedtudfgteduveduieevvefgteeujeelgffggffhhffhhedtffef fefgudeugeefhfenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehmrghrmhgrrhgvkhesihhnvhhishhisghlvghthhhinhhgshhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: i1568416f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Tue, 12 Mar 2024 00:13:27 -0400 (EDT) Date: Tue, 12 Mar 2024 05:13:24 +0100 From: Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= To: grub-devel@gnu.org Subject: Release signing key still uses SHA1 Message-ID: MIME-Version: 1.0 Received-SPF: none client-ip=64.147.123.155; envelope-from=marmarek@invisiblethingslab.com; helo=wfhigh4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: The development of GNU GRUB Content-Type: multipart/mixed; boundary="===============4321427982089511078==" Errors-To: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org Sender: grub-devel-bounces+grub-devel=archiver.kernel.org@gnu.org --===============4321427982089511078== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BhdGleqTkAOL/Co7" Content-Disposition: inline --BhdGleqTkAOL/Co7 Content-Type: text/plain; charset=utf-8; protected-headers=v1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Mar 2024 05:13:24 +0100 From: Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= To: grub-devel@gnu.org Subject: Release signing key still uses SHA1 Hi, The key used to sign release tarballs and git tags still uses SHA1 for its self-signature. Is updated key somewhere already? SHA1 is starting to be rejected by some tools already, for example sequoia-sq: $ sq inspect grub-dkiper.pub=20 grub-dkiper.pub: OpenPGP Certificate. Fingerprint: BE5C23209ACDDACEB20DB0A28C8189F1988C2166 Public-key algo: RSA Public-key size: 4096 bits Creation time: 2017-02-05 03:43:32 UTC Expiration time: 2028-02-14 00:05:49 UTC (creation time + 11years 8days= 2h 22m 17s) Key flags: certification, signing Subkey: 1BE37633B1B7EA3E057CC384955D1898DC24BB87 Invalid: Policy rejected non-revocation signature (Sub= keyBinding) requiring second pre-image resistance because: SHA1 is not considered secure Invalid: Policy rejected non-revocation signature (Sub= keyBinding) requiring second pre-image resistance Public-key algo: RSA Public-key size: 4096 bits Creation time: 2017-02-05 03:43:32 UTC UserID: Daniel Kiper UserID: Daniel Kiper Invalid: Policy rejected non-revocation signature (Pos= itiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure Certifications: 95, use --certifications to list --=20 Best Regards, Marek Marczykowski-G=C3=B3recki Invisible Things Lab --BhdGleqTkAOL/Co7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmXv1mUACgkQ24/THMrX 1yxVOwf8CqbBq5i/a7ak02lsxT848g4zdTCxaksTv2EyQEAMZRrj8mmwOjVeRhH5 Y/U1Qblu9f3dpimBUAyE8pYgJwHuiSBc9GAh+sq2kIwTDc+9kk/O43duyP5FUNTm TkF8IkRW5VjUMZdikSkisS80J8m2CKQIxakAIWuKT2Mz/K8U/U/lpQgpWlr7KJ73 3Lz6QjmFurQeyd0YDfMHNGeZrFyyhlSSG4buaQnyAcdWxbvYJa5kIcWn21Akjml9 zQLBnVBwuWflQQV+JCKYeiSf5W4gam1vyWpgGQgL5bBgUTCCLz76kAwADAVVUHcb cPwRl8OtrVcGXpyyZyZsZzsTH06tRg== =C4np -----END PGP SIGNATURE----- --BhdGleqTkAOL/Co7-- --===============4321427982089511078== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KR3J1Yi1kZXZl bCBtYWlsaW5nIGxpc3QKR3J1Yi1kZXZlbEBnbnUub3JnCmh0dHBzOi8vbGlzdHMuZ251Lm9yZy9t YWlsbWFuL2xpc3RpbmZvL2dydWItZGV2ZWwK --===============4321427982089511078==--