Add djbw@kernel.org to 1ED2916A667D8802.asc

Add djbw@kernel.org to 1ED2916A667D8802.asc

[Dan Williams]

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
YvKBDVU1WfyZQ47VoCUjUNB30cDUoVPWjwkdB0TrV/v3WyMO9KnILzeKUVB60ukz
CYqEEW6FlO1f9tbrsXcwED5RKVOANDgJhj9qyT/f02HIwGCcO/8XZCIWe+SGCKde
pkvfEH6zSL5KLBOjndeASwfmpsR72TGzHqvQn1D4fF25iujchA0W0yDY+UPt1ZRT
6F62ULm9MngkP4hAYEoKNz5FL6NVltjij/9e3hJn885ecKXsfd/V0kMgA3GbKYXZ
qxkaC/vn63SjmiJ5VFOlsNJll03580ndHtecyj1OpRjJyK00cXtc7cebnu+9ASXJ
u6gGtyc54yYx9ouGxlnGfhPTT1fYWYdu79fj6d0eK7LpeAS8WupnZKZV8sartLJ1
/5oPRm4u2+NqdqihjE8ItHh8lephFBvzejl52pgqpw1jWAY4mIOaGU8RBgRYtdPm
b+iA5XbOnsxif1qCevnR1pUWw0DcwqXdgybcATqnSQSp2PjbpzRMIAmW7wARAQAB
tCdEYW4gV2lsbGlhbXMgPGRhbi5qLndpbGxpYW1zQGdtYWlsLmNvbT6JAjgEEwEC
ACIFAk/70HYCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEB7SkWpmfYgC
zV8P/isRW9V0Yjz1T6UGAbEbSla18FIDMIkRMWjNHfC4QLFQYqwnX+WNAQFtZaY+
CD5j40b3ihQeLemV/kK9AXjSw9zzPygZ1C9jc7c4FIpRlgLZU7acwqT3SKPQtsGJ
gTyUjjgnBUer8fr/X8y0a3vZ2HEkUZZdkPdEiDthX5/831fYy8E2a7F2xcKuZ2NF
S85X15Cbbj5VwHEPVSVo7fFwm7cfeZ9xi8Molnmgge+ttbM28oxx5ZSMo4yfBKLL
DOq0wHgIHcAno5w+sIYy7xgxnNBFkl36Bf/MWZO8xjWCnypYay1DPGIhYy/82Nnx
65jTm3/2pe7MSxWOmsIDWLkiQfB4uNRhTww6eAJfNJ3KmCgugJL32hZFma7GWrBl
6HmIiwXGk110FEAPuYjAYZ+m0GHiJnzU+FZp38ONWQBw2BrK6cjM7YCCmuPCWa4E
s4mIKA4r+EPa7h6p1ecpQUGiNFUvlDz62+yv3fkwLEPghEZBhWYWyuUhluy0FsBi
nql/7ba0pqmRcnD4SyouIVRnsM1r2PW2imKXBWSXs+t917zzVGx1bijEkJl+2c/U
pWXiZjXIGZxJEtV1ctzQEmOHNkSt051IO5W15KeUR/hj/3LWEiYBRKFwJj5JEh4c
du69VK66dnb5vB0Kss241NfiZ+KDA6GwmefpBiaH/gcySgv6tC5EYW4gV2lsbGlh
bXMgKGRqYncpIDxkYW4uai53aWxsaWFtc0BpbnRlbC5jb20+iQI4BBMBAgAiBQJO
kzdSAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAe0pFqZn2IAojoEACv
aPMmcFklfE3xVGBiRqyyloExbYwiOtahk2h382eqo4FpjaU36psnwRA98Endnpcl
CKxSWN90Q4hmdsFsapSDnMOmUcAzz85fO0fKhyzrGC03SkTx2XO/hG9Xw/BEdM0x
Dz+Y0vyLeFzxyKJ/GqH5kvDf0Z0GJ+YCEex+5kFXNwZmwV8llCSO5XWmeQYXX+Qm
MQWIP/MJvr4EA5HAqsQ0p9UOljteWuCW/umX75xk0yuhjw9vEszDf3R3dq42OEJG
prxfDogl8M7T+xVx6w9C6nZSsuOm1DkZf4tkDHO/ErwJudTDxfghXY/WF5LLlm7X
9f8KS4S5DSokYnfUpWH84E5C9p6MxGqig85qeXTO/V+4kDL5tGUj/BI7o7Jwt/Fw
Zrfz/admmSA9iBsz7R5H8kxzE3QmUjJ7x5le7joXb3m5iKmJ9+Cp6JEFMSyK8/OQ
SKvM4HUBSHWcmFOheAW8lBE7IImOddPisnss/5c5Xky9IH8BF3WO90wTnOM39cSy
BZsNFuKQ3RDAwyHf3olT1N4TTzFI329FkNzuSMVFWLVeAQlOLqFSVgOlvzQOcYrs
pNcHQp4fYkPBx9fq7cCbNemao7ST27/HPp7UPOmZqFOSVmWERSgZZBH4y91H0h7z
uhCMHaiCgOHKmxOK0UWJW4HuZNK2g2WvoFezhFYU27QeRGFuIFdpbGxpYW1zIDxk
amJ3QGtlcm5lbC5vcmc+iQJRBBMBCgA7FiEEf41QbsdZzFdA8EfZHtKRamZ9iAIF
AmnWyoECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQHtKRamZ9iAIs
ThAAlmDP1Oz9rpiNnLUBJjqwjUs6I3Uvz8wuBnCLk97i9GsukGZGPrOXyyC5fvsh
w5/jh21HkoF+l5IlURcls4m6CbGk4AAuEPWnAwMP9uB0r0Rxo0FzAUdSwRKK+5vL
gWTDiNMMI4+1RLwreLoyjk3y8RoH6pf8Flw8XGt3o8DQVH8x1h6ga998XFJJYQSU
qY/MeV5AZdKtRAvAxZ6EAeSojRhRnE+EMtZNBEITvU8HHoOJskHvTA7DUKxC9qSV
i2vX/NfMRAd9K11lNWY8SX1nU2SuNC9iabsYeUJ5Tbumqwzks3n0I31qZFK/SHPE
vtV9eyQQTwRQ4M0y8k0eyE4LGU6i+5M9oDZAhTKQ5+K6Qb1ZXpv7IjuAky2G+W+D
eRvV4ZNZEp/OOWlaC0TIZ9musrKzi0WGNgisAl7ByjSB3det9SRm55sbLI95XvZz
/hONC1sLfqwNqX6rTWKgzUOKsKQqoa1gmg1U/3IWAnVP8+YNHLhAzXTsO5ih13/p
kOS0vJqfAIa34PLjYurXazhKKkKCejGcPg0VjuaXhxrbFW+JHv2amncZFQuWo3c2
KSe/0/au8fUIv7DKR8SC3Thxtij4IBxKLBszo36iwo832CJwVldbKBMeUC20hRRQ
dsrD3Fz9f6mSrSCyOLEfXt/AKvfj5cYN77sqqouXAOVuwZO5Ag0ETpM3UgEQALr8
qCt1+yMvta0l0buSlFhM1oEjMQ5Jz21f7vEelUQP/WDW7N9hKhHwaTVzUO9zy89D
DoEFVSWv4MLnE8fcrfAeEaJDIbbSeKTkEpOhqeHcHVg0TYhyAfAWAxCmAmwFXbPH
rBry6ojpDFMp116MFCZKGdU2iupp6fPdzdD0WgRzkvPHmuBd3QcXDM6gXZDAKLdL
eFrelKZV2yYWktV/8UrdlXbQRcgsJqIoqAB9mLZWM79mRNl8TL8mslQl7PpyJXr8
RW+FQajIIumeDbosd3sipR9n8oNB0SqsCMOUiXke5m2dxB+kMORK8A4UHS3xlBup
yCiZHE98fuXQ5gzKvfWB+eQorfKmiVdH5yBA+tHPWU6zFLvgmJHZu8zJVxheejsU
qymg0yQS7zZvR3iOqWx7tEwFO5mt3ZBOsoTFSZ8RyxY/rbqgKX/5Awm+CzwelO6Z
7mWLLjU6ff2UQ/o9M85Cm7wopeEHO3nuW/cGcXnNeGhUYbGRxEnUqIg0oWWGa97J
fAwsAWgGG2McFJ7Ah/fJeSwrTvvL9OnQmsd6BYsBns/D3yYZNxDlFw87pPNR5Tbk
haCLthHF1Ytnzio1PfmRgWsvgfWjz9V2Vf/+x/69ohJVFRU6D4NOKi85f2ydPllP
O1MUxfjCm1HNfxk5hf9UfmAG377crHrdSk1zHKkpABEBAAGJAh8EGAECAAkFAk6T
N1ICGwwACgkQHtKRamZ9iAJGfxAAj0oXjGkssTPWP8KwQLYFBIldHJVDhAA4Yta6
3E0Rk6wj5tgxqSnB3Z7zVvLfcl0NRkHcRATPO7IoE7afsscsyrRsQlphKby0QVQk
Pc9cUZ5DeERTvDiZKyPiA88XsNtUcr5froJjF9TQqhTt1lR3+6e9jpc4oeyoAPQV
p6PPlLtrf7oI4Ocb+AzMF5kwhyk0doEqmqOLybMZmXHhbCbI6DZyo5Mjcwlqh62l
UeEziZQag4BXLLqdRjWsbpATPnVG3ZO5DfsHbVXeFRFF7HSCV/ioXwOPvI6fwKP4
I9oJJ2NmPZtEz/EKmotgxeGXBBucRsfCySv2owBiYlJvU9hNtr+xEAi2WJk4B9Vq
qugjykVAMV2KIqap7WePHt2en74RB8Kzd7BDRV3u203zWUvNCIKig+vbP23/UaS1
Ld3tT2v/owIp8GtbPi3WsDTxt6Cm4aiBxHrPS7fgcVQogT6StrW2nFWm12V3t8VX
xImimonABQh7gjeAab3DrxrBXRprB8YlsplR4VBrYRaFTmgX6Dz1q2fJmwiZlaqp
9RgNEFtYUQ4kUGgRZ7GPF01uWl4LESSgQ5iuLkGBJURC3ol8778ej2gevjMTuGHp
B0Yqfk0s0oBvM6mkSjan/8N8K/oHGhRFrpHIuc49WYnl89jilav3hy5KpY1/BNRA
pzNvFue4MwRgrui1FgkrBgEEAdpHDwEBB0AKBuzGCbvOifUjc2r4FOwPIjy0Q8Qa
FRa8pVX0RSPrQokCrQQYAQgAIBYhBH+NUG7HWcxXQPBH2R7SkWpmfYgCBQJgrui1
AhsCAIEJEB7SkWpmfYgCdiAEGRYIAB0WIQSbo+XnGs+rwLz9XGXfioYZHlFsZwUC
YK7otQAKCRDfioYZHlFsZ2PnAQDyOkt820AE1pu08X2qkrMQGJvT4kkMcNwvKF5z
WSW06AEA7g/zIaG4t10gMeeGleq0fOyX5ffb8TyTcdqH2GhOigUCZw/+LsDFtY+5
dcj5tJ6j6bQ+gB2RoxYVkZolW59vK15OzDIBXFTUnGPD9RE5F4ndJWO3O5fHUy3U
O9lBrdkH2bEeWLIQ5ADaIi55h1A+cW9YyiWTRD4UIGrvgDAyeT3BuGKJS15uXDan
4vaWchldpUR4R+dH9cW8uGF0oJ8Tb4yW0EY6dWLjtFuvA228uculJxrUr1wA+ix6
ORMkRneOE6Xg0YEqjEAhXaLvXKEXGBPZ6Av5dU3Pc3u5Yy3gmAEQGY+wtYWB7RGq
O+iRaXDLq/Z0yUPbsBokfmaXPMOANx1vzEHuAKZRYsjRxI2ocxphUjeugIE8izVa
kwusW7oPDxMqaqiX3wfC4zEFrUU8Xw6D17dERqRlxKdhwesfW82ReznxMRkgYQK6
s35+HPkfcLcEZCl6lSUeffDvPNf9LC915WX8pnTZR+thupb73hq7W//FqofnZ1Tb
lJwDWR94IN2Pl7awfYmw4mTELq/gmye/jofPkrnobZjsC+OGfrw+q6MHezX+8zAc
mMJV2bV8jCv13W3T6E9CriB2AJiMLZ+qSyX+FIwfkJ1y5vNHwAOMwovWgETvFLYL
ppIUhc5CBK0L2QTuPQlaDsJgeacVxr0PvbQlK1WW1615vo0reZVCdBldyZGydNzj
DhzGt8GrLB9pIkluV2+gI56W3euj9pUfAwQ=
=ZEr2
-----END PGP PUBLIC KEY BLOCK-----

Re: Add djbw@kernel.org to 1ED2916A667D8802.asc

[Uwe Kleine-König]

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hallo Dan,

On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote:
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
> waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
> 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
> ...
> -----END PGP PUBLIC KEY BLOCK-----

The two UIDs that are already tracked in the pgpkeys repo are only
protected by SHA1, and also the key binding is affected. GnuPG has no
issues with that, but other tools (e.g. Sequioa) take this more serious.
(See e.g. https://www.schneier.com/tag/sha-1/ for more details. And
https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/
for how to fix that.)

While you can address this yourself, your key has several signatures
protected by SHA1, which is somewhat the same issue, but you'd need the
cooperation of the guys who signed your key before, to fix that. The
easiest way to do that is to ask them to resign your certificate.
In return you can offer to resign their certs as there are several
SHA1-protected signatures by you on other keys. See
https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802
for the "todo list".

Don't hesitate to ask if questions arise.

From my side this doesn't need to stop adding your updated cert to the
pgpkeys repo, as it doesn't make things worse than they already are.

Best regards
Uwe

PS: While it's not uniformly well recieved in the kernel community, the
people more involved with PGP crypto also recommend an expiry date on
certificates to enforce to a certain degree that users of your
certificate notice changes to your key.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Add djbw@kernel.org to 1ED2916A667D8802.asc

[Dan Williams]

Uwe Kleine-König wrote:
> Hallo Dan,
> 
> On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote:
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > 
> > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
> > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
> > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
> > ...
> > -----END PGP PUBLIC KEY BLOCK-----
> 
> The two UIDs that are already tracked in the pgpkeys repo are only
> protected by SHA1, and also the key binding is affected. GnuPG has no
> issues with that, but other tools (e.g. Sequioa) take this more serious.
> (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And
> https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/
> for how to fix that.)
> 
> While you can address this yourself, your key has several signatures
> protected by SHA1, which is somewhat the same issue, but you'd need the
> cooperation of the guys who signed your key before, to fix that. The
> easiest way to do that is to ask them to resign your certificate.
> In return you can offer to resign their certs as there are several
> SHA1-protected signatures by you on other keys. See
> https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802
> for the "todo list".
> 
> Don't hesitate to ask if questions arise.

Certainly the sq instructions look more approachable than doing this
with gpg. Given my old intel.com address is now disabled I assume I
should just delete that uid and then only need to fixup the gmail one?

For using an offline backup gpg directory to redo the signatures looks
like I can ask sq to use a different PGP_CERT_D directory. If you have a
ready example for that case that would save some fumbling time.

> From my side this doesn't need to stop adding your updated cert to the
> pgpkeys repo, as it doesn't make things worse than they already are.

Thanks for the heads up!

Re: Add djbw@kernel.org to 1ED2916A667D8802.asc

[Uwe Kleine-König]

[-- Attachment #1: Type: text/plain, Size: 2905 bytes --]

On Fri, Apr 10, 2026 at 01:48:37PM -0700, Dan Williams wrote:
> Uwe Kleine-König wrote:
> > Hallo Dan,
> > 
> > On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote:
> > > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > > 
> > > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu
> > > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn
> > > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+
> > > ...
> > > -----END PGP PUBLIC KEY BLOCK-----
> > 
> > The two UIDs that are already tracked in the pgpkeys repo are only
> > protected by SHA1, and also the key binding is affected. GnuPG has no
> > issues with that, but other tools (e.g. Sequioa) take this more serious.
> > (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And
> > https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/
> > for how to fix that.)
> > 
> > While you can address this yourself, your key has several signatures
> > protected by SHA1, which is somewhat the same issue, but you'd need the
> > cooperation of the guys who signed your key before, to fix that. The
> > easiest way to do that is to ask them to resign your certificate.
> > In return you can offer to resign their certs as there are several
> > SHA1-protected signatures by you on other keys. See
> > https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802
> > for the "todo list".
> > 
> > Don't hesitate to ask if questions arise.
> 
> Certainly the sq instructions look more approachable than doing this
> with gpg.

Indeed. It seems some people however don't seem to trust sq in the same
way as gpg and prefer not to let it touch their private key material.
¯\_(ツ)_/¯

> Given my old intel.com address is now disabled I assume I
> should just delete that uid and then only need to fixup the gmail one?

Not delete, but revoke. Otherwise yes.

> For using an offline backup gpg directory to redo the signatures looks
> like I can ask sq to use a different PGP_CERT_D directory. If you have a
> ready example for that case that would save some fumbling time.

Not sure I got your question. My guess is that you have your private
master key not in your ~/.gnupg but in a different directory, probably
on a different medium. I *think* you need to set --key-store and not
PGP_CERT_D (which is used to store the public bits of
keys/certificates). An additional complication is that sq uses a
different format to store the private key material than gpg and I seem
to recall that there is some complication when setting GNUPG_HOME for
sq. (Something about sq not being able to contact gpg-agent then.)

I think your best bet is to either stick to GnuPG, or export your
secret key and import it natively using sq.

So the TLDR is: Sorry, I don't have a recipe for that.

Best regards
Uwe

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]