Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP release signing key is expired #27

Open
eli-schwartz opened this issue Jan 8, 2018 · 2 comments
Open

PGP release signing key is expired #27

eli-schwartz opened this issue Jan 8, 2018 · 2 comments
Assignees
@mlj
Labels
security

Comments

@eli-schwartz
Copy link

While working on https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ as part of Arch Linux packaging, I realized that castget provides PGP signed releases at https://download.savannah.gnu.org/releases/castget/

However, there are two major problems with the signatures. First, there is no record anywhere of what key is being used to sign those releases, so users cannot confirm that they have the right key. Ideally you'd list your PGP fingerprint on your website for castget itself, while continuing to use savannah.nongnu.org for release hosting. (You can also upload the key to Github, as well as use git to sign the git tags.) Second, the unverified key that was used, appears to have expired in 2015-07-01. There is no way we can use an invalid key to verify releases. The key needs to be renewed or replaced.

A third, unrelated issue, is that it is a dsa 1024-bit key, which is really quite weak. You should consider creating a new key using rsa2048 at a minimum, or preferably rsa4096 as there is really no downside to using the strongest current key type when creating a new key.

...

By the way, your link to the Arch Linux package for castget is broken. We dropped i686 support, and the correct way to link to the package regardless would be https://www.archlinux.org/packages/?name=castget (which does an exact-name search independent of the repository name or built architecture).
@mlj
Copy link
Owner

mlj commented Jan 9, 2018

Thank you for taking the time to report this (with lots of helpful details). I'm afraid like many others I only learned the basics of PGP/GPG and therefore regularly fail to do what is required.

I hadn't uploaded my public key to any key server for some time, thus the expired key. This should be fixed now.

I've added key ID and fingerprint to the website. The key is already associated with my github profile; I'll start signing git tags from now on.

Link to the Arch Linux package fixed.

I'll create a new, stronger key before the current one expires. I'm leaving this issue open as a reminder.

Thanks again for reporting this!

@mlj mlj self-assigned this Jan 9, 2018
@mlj mlj added the security label Jan 9, 2018
@eli-schwartz
Copy link
Author

Thanks!

FWIW you're nowhere near the only person that has a legacy dsa1024 key originally created back when dsa1024 was still a commonly used key strength, and didn't realize it would be good to transition over to a new key.

https://crypto.stackexchange.com/questions/9878/is-a-1024-bit-dsa-key-considered-safe
https://news.ycombinator.com/item?id=9574984

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mlj mlj

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlj @eli-schwartz