[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Release signing key still uses SHA1



Hi,

The key used to sign release tarballs and git tags still uses SHA1 for
its self-signature. Is updated key somewhere already?

SHA1 is starting to be rejected by some tools already, for example
sequoia-sq:

    $ sq inspect xen.pub
    xen.pub: OpenPGP Certificate.
    
        Fingerprint: 23E3222C145F4475FA8060A783FE14C957E82BD9
                     Invalid: No binding signature at time 2024-03-12T02:37:29Z
    Public-key algo: RSA
    Public-key size: 2048 bits
      Creation time: 2010-04-06 13:55:33 UTC
    
             UserID: Xen.org Xen tree code signing (signatures on the xen 
hypervisor and tools) <pgp@xxxxxxx>
                     Invalid: Policy rejected non-revocation signature 
(PositiveCertification) requiring second pre-image resistance
                     because: SHA1 is not considered secure
     Certifications: 7, use --certifications to list


-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.