[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Release signing key still uses SHA1
Hi, The key used to sign release tarballs and git tags still uses SHA1 for its self-signature. Is updated key somewhere already? SHA1 is starting to be rejected by some tools already, for example sequoia-sq: $ sq inspect xen.pub xen.pub: OpenPGP Certificate. Fingerprint: 23E3222C145F4475FA8060A783FE14C957E82BD9 Invalid: No binding signature at time 2024-03-12T02:37:29Z Public-key algo: RSA Public-key size: 2048 bits Creation time: 2010-04-06 13:55:33 UTC UserID: Xen.org Xen tree code signing (signatures on the xen hypervisor and tools) <pgp@xxxxxxx> Invalid: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure Certifications: 7, use --certifications to list -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab Attachment:
signature.asc
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |