* Add djbw@kernel.org to 1ED2916A667D8802.asc @ 2026-04-09 1:49 Dan Williams 2026-04-10 6:48 ` Uwe Kleine-König 0 siblings, 1 reply; 4+ messages in thread From: Dan Williams @ 2026-04-09 1:49 UTC (permalink / raw) To: keys -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+ YvKBDVU1WfyZQ47VoCUjUNB30cDUoVPWjwkdB0TrV/v3WyMO9KnILzeKUVB60ukz CYqEEW6FlO1f9tbrsXcwED5RKVOANDgJhj9qyT/f02HIwGCcO/8XZCIWe+SGCKde pkvfEH6zSL5KLBOjndeASwfmpsR72TGzHqvQn1D4fF25iujchA0W0yDY+UPt1ZRT 6F62ULm9MngkP4hAYEoKNz5FL6NVltjij/9e3hJn885ecKXsfd/V0kMgA3GbKYXZ qxkaC/vn63SjmiJ5VFOlsNJll03580ndHtecyj1OpRjJyK00cXtc7cebnu+9ASXJ u6gGtyc54yYx9ouGxlnGfhPTT1fYWYdu79fj6d0eK7LpeAS8WupnZKZV8sartLJ1 /5oPRm4u2+NqdqihjE8ItHh8lephFBvzejl52pgqpw1jWAY4mIOaGU8RBgRYtdPm b+iA5XbOnsxif1qCevnR1pUWw0DcwqXdgybcATqnSQSp2PjbpzRMIAmW7wARAQAB tCdEYW4gV2lsbGlhbXMgPGRhbi5qLndpbGxpYW1zQGdtYWlsLmNvbT6JAjgEEwEC ACIFAk/70HYCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEB7SkWpmfYgC zV8P/isRW9V0Yjz1T6UGAbEbSla18FIDMIkRMWjNHfC4QLFQYqwnX+WNAQFtZaY+ CD5j40b3ihQeLemV/kK9AXjSw9zzPygZ1C9jc7c4FIpRlgLZU7acwqT3SKPQtsGJ gTyUjjgnBUer8fr/X8y0a3vZ2HEkUZZdkPdEiDthX5/831fYy8E2a7F2xcKuZ2NF S85X15Cbbj5VwHEPVSVo7fFwm7cfeZ9xi8Molnmgge+ttbM28oxx5ZSMo4yfBKLL DOq0wHgIHcAno5w+sIYy7xgxnNBFkl36Bf/MWZO8xjWCnypYay1DPGIhYy/82Nnx 65jTm3/2pe7MSxWOmsIDWLkiQfB4uNRhTww6eAJfNJ3KmCgugJL32hZFma7GWrBl 6HmIiwXGk110FEAPuYjAYZ+m0GHiJnzU+FZp38ONWQBw2BrK6cjM7YCCmuPCWa4E s4mIKA4r+EPa7h6p1ecpQUGiNFUvlDz62+yv3fkwLEPghEZBhWYWyuUhluy0FsBi nql/7ba0pqmRcnD4SyouIVRnsM1r2PW2imKXBWSXs+t917zzVGx1bijEkJl+2c/U pWXiZjXIGZxJEtV1ctzQEmOHNkSt051IO5W15KeUR/hj/3LWEiYBRKFwJj5JEh4c du69VK66dnb5vB0Kss241NfiZ+KDA6GwmefpBiaH/gcySgv6tC5EYW4gV2lsbGlh bXMgKGRqYncpIDxkYW4uai53aWxsaWFtc0BpbnRlbC5jb20+iQI4BBMBAgAiBQJO kzdSAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAe0pFqZn2IAojoEACv aPMmcFklfE3xVGBiRqyyloExbYwiOtahk2h382eqo4FpjaU36psnwRA98Endnpcl CKxSWN90Q4hmdsFsapSDnMOmUcAzz85fO0fKhyzrGC03SkTx2XO/hG9Xw/BEdM0x Dz+Y0vyLeFzxyKJ/GqH5kvDf0Z0GJ+YCEex+5kFXNwZmwV8llCSO5XWmeQYXX+Qm MQWIP/MJvr4EA5HAqsQ0p9UOljteWuCW/umX75xk0yuhjw9vEszDf3R3dq42OEJG prxfDogl8M7T+xVx6w9C6nZSsuOm1DkZf4tkDHO/ErwJudTDxfghXY/WF5LLlm7X 9f8KS4S5DSokYnfUpWH84E5C9p6MxGqig85qeXTO/V+4kDL5tGUj/BI7o7Jwt/Fw Zrfz/admmSA9iBsz7R5H8kxzE3QmUjJ7x5le7joXb3m5iKmJ9+Cp6JEFMSyK8/OQ SKvM4HUBSHWcmFOheAW8lBE7IImOddPisnss/5c5Xky9IH8BF3WO90wTnOM39cSy BZsNFuKQ3RDAwyHf3olT1N4TTzFI329FkNzuSMVFWLVeAQlOLqFSVgOlvzQOcYrs pNcHQp4fYkPBx9fq7cCbNemao7ST27/HPp7UPOmZqFOSVmWERSgZZBH4y91H0h7z uhCMHaiCgOHKmxOK0UWJW4HuZNK2g2WvoFezhFYU27QeRGFuIFdpbGxpYW1zIDxk amJ3QGtlcm5lbC5vcmc+iQJRBBMBCgA7FiEEf41QbsdZzFdA8EfZHtKRamZ9iAIF AmnWyoECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQHtKRamZ9iAIs ThAAlmDP1Oz9rpiNnLUBJjqwjUs6I3Uvz8wuBnCLk97i9GsukGZGPrOXyyC5fvsh w5/jh21HkoF+l5IlURcls4m6CbGk4AAuEPWnAwMP9uB0r0Rxo0FzAUdSwRKK+5vL gWTDiNMMI4+1RLwreLoyjk3y8RoH6pf8Flw8XGt3o8DQVH8x1h6ga998XFJJYQSU qY/MeV5AZdKtRAvAxZ6EAeSojRhRnE+EMtZNBEITvU8HHoOJskHvTA7DUKxC9qSV i2vX/NfMRAd9K11lNWY8SX1nU2SuNC9iabsYeUJ5Tbumqwzks3n0I31qZFK/SHPE vtV9eyQQTwRQ4M0y8k0eyE4LGU6i+5M9oDZAhTKQ5+K6Qb1ZXpv7IjuAky2G+W+D eRvV4ZNZEp/OOWlaC0TIZ9musrKzi0WGNgisAl7ByjSB3det9SRm55sbLI95XvZz /hONC1sLfqwNqX6rTWKgzUOKsKQqoa1gmg1U/3IWAnVP8+YNHLhAzXTsO5ih13/p kOS0vJqfAIa34PLjYurXazhKKkKCejGcPg0VjuaXhxrbFW+JHv2amncZFQuWo3c2 KSe/0/au8fUIv7DKR8SC3Thxtij4IBxKLBszo36iwo832CJwVldbKBMeUC20hRRQ dsrD3Fz9f6mSrSCyOLEfXt/AKvfj5cYN77sqqouXAOVuwZO5Ag0ETpM3UgEQALr8 qCt1+yMvta0l0buSlFhM1oEjMQ5Jz21f7vEelUQP/WDW7N9hKhHwaTVzUO9zy89D DoEFVSWv4MLnE8fcrfAeEaJDIbbSeKTkEpOhqeHcHVg0TYhyAfAWAxCmAmwFXbPH rBry6ojpDFMp116MFCZKGdU2iupp6fPdzdD0WgRzkvPHmuBd3QcXDM6gXZDAKLdL eFrelKZV2yYWktV/8UrdlXbQRcgsJqIoqAB9mLZWM79mRNl8TL8mslQl7PpyJXr8 RW+FQajIIumeDbosd3sipR9n8oNB0SqsCMOUiXke5m2dxB+kMORK8A4UHS3xlBup yCiZHE98fuXQ5gzKvfWB+eQorfKmiVdH5yBA+tHPWU6zFLvgmJHZu8zJVxheejsU qymg0yQS7zZvR3iOqWx7tEwFO5mt3ZBOsoTFSZ8RyxY/rbqgKX/5Awm+CzwelO6Z 7mWLLjU6ff2UQ/o9M85Cm7wopeEHO3nuW/cGcXnNeGhUYbGRxEnUqIg0oWWGa97J fAwsAWgGG2McFJ7Ah/fJeSwrTvvL9OnQmsd6BYsBns/D3yYZNxDlFw87pPNR5Tbk haCLthHF1Ytnzio1PfmRgWsvgfWjz9V2Vf/+x/69ohJVFRU6D4NOKi85f2ydPllP O1MUxfjCm1HNfxk5hf9UfmAG377crHrdSk1zHKkpABEBAAGJAh8EGAECAAkFAk6T N1ICGwwACgkQHtKRamZ9iAJGfxAAj0oXjGkssTPWP8KwQLYFBIldHJVDhAA4Yta6 3E0Rk6wj5tgxqSnB3Z7zVvLfcl0NRkHcRATPO7IoE7afsscsyrRsQlphKby0QVQk Pc9cUZ5DeERTvDiZKyPiA88XsNtUcr5froJjF9TQqhTt1lR3+6e9jpc4oeyoAPQV p6PPlLtrf7oI4Ocb+AzMF5kwhyk0doEqmqOLybMZmXHhbCbI6DZyo5Mjcwlqh62l UeEziZQag4BXLLqdRjWsbpATPnVG3ZO5DfsHbVXeFRFF7HSCV/ioXwOPvI6fwKP4 I9oJJ2NmPZtEz/EKmotgxeGXBBucRsfCySv2owBiYlJvU9hNtr+xEAi2WJk4B9Vq qugjykVAMV2KIqap7WePHt2en74RB8Kzd7BDRV3u203zWUvNCIKig+vbP23/UaS1 Ld3tT2v/owIp8GtbPi3WsDTxt6Cm4aiBxHrPS7fgcVQogT6StrW2nFWm12V3t8VX xImimonABQh7gjeAab3DrxrBXRprB8YlsplR4VBrYRaFTmgX6Dz1q2fJmwiZlaqp 9RgNEFtYUQ4kUGgRZ7GPF01uWl4LESSgQ5iuLkGBJURC3ol8778ej2gevjMTuGHp B0Yqfk0s0oBvM6mkSjan/8N8K/oHGhRFrpHIuc49WYnl89jilav3hy5KpY1/BNRA pzNvFue4MwRgrui1FgkrBgEEAdpHDwEBB0AKBuzGCbvOifUjc2r4FOwPIjy0Q8Qa FRa8pVX0RSPrQokCrQQYAQgAIBYhBH+NUG7HWcxXQPBH2R7SkWpmfYgCBQJgrui1 AhsCAIEJEB7SkWpmfYgCdiAEGRYIAB0WIQSbo+XnGs+rwLz9XGXfioYZHlFsZwUC YK7otQAKCRDfioYZHlFsZ2PnAQDyOkt820AE1pu08X2qkrMQGJvT4kkMcNwvKF5z WSW06AEA7g/zIaG4t10gMeeGleq0fOyX5ffb8TyTcdqH2GhOigUCZw/+LsDFtY+5 dcj5tJ6j6bQ+gB2RoxYVkZolW59vK15OzDIBXFTUnGPD9RE5F4ndJWO3O5fHUy3U O9lBrdkH2bEeWLIQ5ADaIi55h1A+cW9YyiWTRD4UIGrvgDAyeT3BuGKJS15uXDan 4vaWchldpUR4R+dH9cW8uGF0oJ8Tb4yW0EY6dWLjtFuvA228uculJxrUr1wA+ix6 ORMkRneOE6Xg0YEqjEAhXaLvXKEXGBPZ6Av5dU3Pc3u5Yy3gmAEQGY+wtYWB7RGq O+iRaXDLq/Z0yUPbsBokfmaXPMOANx1vzEHuAKZRYsjRxI2ocxphUjeugIE8izVa kwusW7oPDxMqaqiX3wfC4zEFrUU8Xw6D17dERqRlxKdhwesfW82ReznxMRkgYQK6 s35+HPkfcLcEZCl6lSUeffDvPNf9LC915WX8pnTZR+thupb73hq7W//FqofnZ1Tb lJwDWR94IN2Pl7awfYmw4mTELq/gmye/jofPkrnobZjsC+OGfrw+q6MHezX+8zAc mMJV2bV8jCv13W3T6E9CriB2AJiMLZ+qSyX+FIwfkJ1y5vNHwAOMwovWgETvFLYL ppIUhc5CBK0L2QTuPQlaDsJgeacVxr0PvbQlK1WW1615vo0reZVCdBldyZGydNzj DhzGt8GrLB9pIkluV2+gI56W3euj9pUfAwQ= =ZEr2 -----END PGP PUBLIC KEY BLOCK----- ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Add djbw@kernel.org to 1ED2916A667D8802.asc 2026-04-09 1:49 Add djbw@kernel.org to 1ED2916A667D8802.asc Dan Williams @ 2026-04-10 6:48 ` Uwe Kleine-König 2026-04-10 20:48 ` Dan Williams 0 siblings, 1 reply; 4+ messages in thread From: Uwe Kleine-König @ 2026-04-10 6:48 UTC (permalink / raw) To: Dan Williams; +Cc: keys [-- Attachment #1: Type: text/plain, Size: 1731 bytes --] Hallo Dan, On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote: > -----BEGIN PGP PUBLIC KEY BLOCK----- > > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+ > ... > -----END PGP PUBLIC KEY BLOCK----- The two UIDs that are already tracked in the pgpkeys repo are only protected by SHA1, and also the key binding is affected. GnuPG has no issues with that, but other tools (e.g. Sequioa) take this more serious. (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/ for how to fix that.) While you can address this yourself, your key has several signatures protected by SHA1, which is somewhat the same issue, but you'd need the cooperation of the guys who signed your key before, to fix that. The easiest way to do that is to ask them to resign your certificate. In return you can offer to resign their certs as there are several SHA1-protected signatures by you on other keys. See https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802 for the "todo list". Don't hesitate to ask if questions arise. From my side this doesn't need to stop adding your updated cert to the pgpkeys repo, as it doesn't make things worse than they already are. Best regards Uwe PS: While it's not uniformly well recieved in the kernel community, the people more involved with PGP crypto also recommend an expiry date on certificates to enforce to a certain degree that users of your certificate notice changes to your key. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Add djbw@kernel.org to 1ED2916A667D8802.asc 2026-04-10 6:48 ` Uwe Kleine-König @ 2026-04-10 20:48 ` Dan Williams 2026-04-10 21:25 ` Uwe Kleine-König 0 siblings, 1 reply; 4+ messages in thread From: Dan Williams @ 2026-04-10 20:48 UTC (permalink / raw) To: Uwe Kleine-König; +Cc: keys Uwe Kleine-König wrote: > Hallo Dan, > > On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote: > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > > > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu > > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn > > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+ > > ... > > -----END PGP PUBLIC KEY BLOCK----- > > The two UIDs that are already tracked in the pgpkeys repo are only > protected by SHA1, and also the key binding is affected. GnuPG has no > issues with that, but other tools (e.g. Sequioa) take this more serious. > (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And > https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/ > for how to fix that.) > > While you can address this yourself, your key has several signatures > protected by SHA1, which is somewhat the same issue, but you'd need the > cooperation of the guys who signed your key before, to fix that. The > easiest way to do that is to ask them to resign your certificate. > In return you can offer to resign their certs as there are several > SHA1-protected signatures by you on other keys. See > https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802 > for the "todo list". > > Don't hesitate to ask if questions arise. Certainly the sq instructions look more approachable than doing this with gpg. Given my old intel.com address is now disabled I assume I should just delete that uid and then only need to fixup the gmail one? For using an offline backup gpg directory to redo the signatures looks like I can ask sq to use a different PGP_CERT_D directory. If you have a ready example for that case that would save some fumbling time. > From my side this doesn't need to stop adding your updated cert to the > pgpkeys repo, as it doesn't make things worse than they already are. Thanks for the heads up! ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Add djbw@kernel.org to 1ED2916A667D8802.asc 2026-04-10 20:48 ` Dan Williams @ 2026-04-10 21:25 ` Uwe Kleine-König 0 siblings, 0 replies; 4+ messages in thread From: Uwe Kleine-König @ 2026-04-10 21:25 UTC (permalink / raw) To: Dan Williams; +Cc: keys [-- Attachment #1: Type: text/plain, Size: 2905 bytes --] On Fri, Apr 10, 2026 at 01:48:37PM -0700, Dan Williams wrote: > Uwe Kleine-König wrote: > > Hallo Dan, > > > > On Wed, Apr 08, 2026 at 06:49:33PM -0700, Dan Williams wrote: > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > > > > > mQINBE6TN1IBEADBi0Ztes1AmBXGUHh4zp7z8YMykXtF2o+Vd5uscmp0Z+CNoXMu > > > waEOmxQjwjC6khh7gl/1i0YNMHtwTaNFgXJKVluH5uMXpeo5GXrCHmI14YNhJmRn > > > 3AHzmM8wh9H0lCy96F71Wv13itJINy9AKYarQJcIUmpMxxO/f5VoE1UYeoouy19+ > > > ... > > > -----END PGP PUBLIC KEY BLOCK----- > > > > The two UIDs that are already tracked in the pgpkeys repo are only > > protected by SHA1, and also the key binding is affected. GnuPG has no > > issues with that, but other tools (e.g. Sequioa) take this more serious. > > (See e.g. https://www.schneier.com/tag/sha-1/ for more details. And > > https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/ > > for how to fix that.) > > > > While you can address this yourself, your key has several signatures > > protected by SHA1, which is somewhat the same issue, but you'd need the > > cooperation of the guys who signed your key before, to fix that. The > > easiest way to do that is to ask them to resign your certificate. > > In return you can offer to resign their certs as there are several > > SHA1-protected signatures by you on other keys. See > > https://www.kleine-koenig.org/~uwe/resign-sha1/?certid=1ED2916A667D8802 > > for the "todo list". > > > > Don't hesitate to ask if questions arise. > > Certainly the sq instructions look more approachable than doing this > with gpg. Indeed. It seems some people however don't seem to trust sq in the same way as gpg and prefer not to let it touch their private key material. ¯\_(ツ)_/¯ > Given my old intel.com address is now disabled I assume I > should just delete that uid and then only need to fixup the gmail one? Not delete, but revoke. Otherwise yes. > For using an offline backup gpg directory to redo the signatures looks > like I can ask sq to use a different PGP_CERT_D directory. If you have a > ready example for that case that would save some fumbling time. Not sure I got your question. My guess is that you have your private master key not in your ~/.gnupg but in a different directory, probably on a different medium. I *think* you need to set --key-store and not PGP_CERT_D (which is used to store the public bits of keys/certificates). An additional complication is that sq uses a different format to store the private key material than gpg and I seem to recall that there is some complication when setting GNUPG_HOME for sq. (Something about sq not being able to contact gpg-agent then.) I think your best bet is to either stick to GnuPG, or export your secret key and import it natively using sq. So the TLDR is: Sorry, I don't have a recipe for that. Best regards Uwe [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-10 21:25 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-09 1:49 Add djbw@kernel.org to 1ED2916A667D8802.asc Dan Williams 2026-04-10 6:48 ` Uwe Kleine-König 2026-04-10 20:48 ` Dan Williams 2026-04-10 21:25 ` Uwe Kleine-König
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox