#9908 stop using sha-1 in signing keys
Closed: Fixed 6 months ago by kevin. Opened 8 months ago by kevin.

From https://gitlab.com/sequoia-pgp/sequoia/-/issues/595#note_433392680:

✦ ❯ ./target/debug/sq inspect ./fedora.gpg 
./fedora.gpg: OpenPGP Keyring.

OpenPGP Certificate.

    Fingerprint: 963A 2BEB 0200 9608 FE67  EA42 49FD 7749 9570 FF31
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2020-01-28 10:03:39 UTC

         UserID: Fedora (33) <fedora-33-primary@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: 97A1 AE57 C3A2 372C CA3A  4ABA 6C13 026D 12C9 44D0
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2019-08-12 12:08:11 UTC

         UserID: Fedora (32) <fedora-32-primary@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: 7D22 D586 7F2A 4236 474B  F7B8 50CB 390B 3C33 59C4
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2019-02-18 16:27:47 UTC

         UserID: Fedora (31) <fedora-31-primary@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: C2A3 FA9D C67F 68B9 8BB5  43F4 7BB9 0722 DBBD CF7C
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2018-11-13 18:05:12 UTC

         UserID: Fedora (iot 2019) <fedora-iot-2019@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: 94E2 79EB 8D8F 25B2 1810  ADF1 21EA 45AB 2F86 D6A1
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2019-06-05 14:17:31 UTC

         UserID: Fedora EPEL (8) <epel@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: 91E9 7D7C 4A5E 96F1 7F3E  888F 6A2F AEA2 352C 64E5
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2013-12-16 02:42:12 UTC

         UserID: Fedora EPEL (7) <epel@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

OpenPGP Certificate.

    Fingerprint: 8C3B E96A F230 9184 DA5C  0DAE 3B49 DF2A 0608 B895
                 Invalid: No binding signature at time 2020-10-21T09:16:00Z
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2010-04-23 23:12:02 UTC

         UserID: EPEL (6) <epel@fedoraproject.org>
                 Invalid: Policy rejected non-revocation signature (PositiveCertification)
                 because: SHA1 is not considered secure since 2013-01-01T00:00:00Z

So, I guess we are using sha1 in signatures? In any case we should track this down and fix it.
May well need changes in sigul.


Metadata Update from @mohanboddu:
- Issue tagged with: dev, high-gain, medium-trouble, ops

8 months ago

This should be done for new keys (sadly changing old ones will be a pain).

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 months ago

Login to comment on this ticket.

Metadata
Boards 2
Ops Status: Backlog
Dev Status: Done