Uploaded image for project: 'Picard'
  1. Picard
  2. PICARD-1934

GPG key used for signing is DSA 1024bit (unusable for verification)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 2.4.2
    • Packaging & Deployment
    • None
    • Arch Linux

      Hi! I package picard for Arch Linux.

      I would like to be able to verify the tags using one of the developers GPG keys. Alternatively it would also be great if you could provide signed source tarballs on github and/ or on pypi.org (that is currently not the case).

      Unfortunately the one currently in use (`9FD61CE6F154EC5A3531D0DE23A723D6417E5D5A`) is a 1024bit DSA key and therefore should not be used for signing as DSA is broken. Please create a new GPG key that is either at least 4096bit RSA or using a trusted curve algorithm such as ed25519 and establish a chain of trust by signing the new key with the old key and the old key with the new key and afterwards announcing the change in a document within the picard source repository and signing that commit with the new key.

      Thanks!

            outsidecontext Philipp Wolfer
            dvzrv David Runge
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Version Package