[pkg-gnupg-maint] tag2upload should record git tag signer info in .dsc [and 1 more messages]
Jonathan McDowell
noodles at earth.li
Sat Jul 27 21:52:55 BST 2019
On Fri, Jul 26, 2019 at 09:18:29PM +0100, Sean Whitton wrote:
> For the purposes of tag2upload work, would you mind confirming this:
>
> On Tue 23 Jul 2019 at 06:38AM +01, Sean Whitton wrote:
>
> > AIUI a fingerprint fails to uniquely identify a PGP key unless you also
> > include the cryptographic algorithm that was used and the key size. So
> > for example, my current key is uniquely identified by writing both 4096R
> > and 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B.
> >
> > Even though it's unlikely we'll get a clash of fingerprints within the
> > Debian keyring, it seems the algorithm and keysize ought to be included
> > alongside the fingerprint, if the above is right.
My understanding is this was true in the days of v3 keys/fingerprints
but is not the case for v4. If we get to the point we find a collision
then that's a SHA1 issue that's going to cause bigger issues.
J.
--
] https://www.earth.li/~noodles/ [] <mstevens> I'm absolutely [
] PGP/GPG Key @ the.earth.li [] convinced one day soon I'm going [
] via keyserver, web or email. [] to get "masturbation" and [
] RSA: 4096/0x94FA372B2DA8B985 [] "meditation" mixed up. [
More information about the pkg-gnupg-maint
mailing list