Re: Add djbw@kernel.org to 1ED2916A667D8802.asc

["Uwe Kleine-König" <u.kleine-koenig@baylibre.com>]

[-- Attachment #1: Type: text/plain, Size: 2905 bytes --]

On Fri, Apr 10, 2026 at 01:48:37PM -0700, Dan Williams wrote:
> Uwe Kleine-König wrote:
> > Hallo Dan,
> > 
> > On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote:
> > > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > > 
> > > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
> > > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
> > > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
> > > ...
> > > -----END PGP PUBLIC KEY BLOCK-----
> > 
> > The two UIDs that are already tracked in the pgpkeys repo are only
> > protected by SHA1, and also the key binding is affected. GnuPG has no
> > issues with that, but other tools (e.g. Sequioa) take this more serious.
> > (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And
> > https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/
> > for how to fix that.)
> > 
> > While you can address this yourself, your key has several signatures
> > protected by SHA1, which is somewhat the same issue, but you'd need the
> > cooperation of the guys who signed your key before, to fix that. The
> > easiest way to do that is to ask them to resign your certificate.
> > In return you can offer to resign their certs as there are several
> > SHA1-protected signatures by you on other keys. See
> > https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802
> > for the "todo list".
> > 
> > Don't hesitate to ask if questions arise.
> 
> Certainly the sq instructions look more approachable than doing this
> with gpg.

Indeed. It seems some people however don't seem to trust sq in the same
way as gpg and prefer not to let it touch their private key material.
¯\_(ツ)_/¯

> Given my old intel.com address is now disabled I assume I
> should just delete that uid and then only need to fixup the gmail one?

Not delete, but revoke. Otherwise yes.

> For using an offline backup gpg directory to redo the signatures looks
> like I can ask sq to use a different PGP_CERT_D directory. If you have a
> ready example for that case that would save some fumbling time.

Not sure I got your question. My guess is that you have your private
master key not in your ~/.gnupg but in a different directory, probably
on a different medium. I *think* you need to set --key-store and not
PGP_CERT_D (which is used to store the public bits of
keys/certificates). An additional complication is that sq uses a
different format to store the private key material than gpg and I seem
to recall that there is some complication when setting GNUPG_HOME for
sq. (Something about sq not being able to contact gpg-agent then.)

I think your best bet is to either stick to GnuPG, or export your
secret key and import it natively using sq.

So the TLDR is: Sorry, I don't have a recipe for that.

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]