[pkg-gnupg-maint] tag2upload should record git tag signer info in .dsc [and 1 more messages]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jul 29 15:08:39 BST 2019


On Sat 2019-07-27 21:52:55 +0100, Jonathan McDowell wrote:
> On Fri, Jul 26, 2019 at 09:18:29PM +0100, Sean Whitton wrote:
>> For the purposes of tag2upload work, would you mind confirming this:
>> 
>> On Tue 23 Jul 2019 at 06:38AM +01, Sean Whitton wrote:
>> 
>> > AIUI a fingerprint fails to uniquely identify a PGP key unless you also
>> > include the cryptographic algorithm that was used and the key size.  So
>> > for example, my current key is uniquely identified by writing both 4096R
>> > and 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B.
>> >
>> > Even though it's unlikely we'll get a clash of fingerprints within the
>> > Debian keyring, it seems the algorithm and keysize ought to be included
>> > alongside the fingerprint, if the above is right.
>
> My understanding is this was true in the days of v3 keys/fingerprints
> but is not the case for v4. If we get to the point we find a collision
> then that's a SHA1 issue that's going to cause bigger issues.

Noodles' understanding is correct.  That problem is one of the reasons
that the v3 format is deprecated.

         --dkg



More information about the pkg-gnupg-maint mailing list