Slackware Official GPG-KEY Expiration
Not sure how many of you have looked at the official Slackware GPG-KEY, and maybe I'm late to the party noticing this, but it expires on a rather peculiar date.
Code:
security@slackware.com public key Or perhaps rather than being a funny reference to the problem, it is some mitigation for or manifestation of said problem? :eek: |
Quote:
If not, too bad for them :) |
Quote:
It is said that gpg is one of those applications which will fail if expiration date is set after year 2038. Another problematic software is utmp/wtmp which stores time stamps in 32 bit fields. regards Henrik |
Quote:
|
The problem isn't the expiration date or 32-bits. The problem is that the preferred signing algorithm for that key is SHA1. SHA1 is considered broken since 2017, but the slackware-security mailing list keeps using it to sign e-mail announcements. One of the consequences is that Thunderbird will mark the message with "Invalid message signature".
Code:
$ gpg2 --edit-key security@slackware.com I wish I could somehow convey this to the responsible person(s), but until now I was not successful with that ;-( |
Quote:
|
Whoa, thank you for responding, sir!
Quote:
But that does not mean, there aren't any people out there who could. We talk about the main signing key for the distro. |
Isn't the issue with being able to duplicate the SHA1 digest for a modified object? That is, change the object and add some extra bytes to produce the same digest so that the signature still applies. That would be easier for SHA1 than another algorithm that produces more output bytes.
|
All times are GMT -5. The time now is 09:33 PM. |