[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-glpk] 1024 bit key used to sign GLPK distribution package
From: |
Heinrich Schuchardt |
Subject: |
Re: [Help-glpk] 1024 bit key used to sign GLPK distribution package |
Date: |
Mon, 23 Jan 2017 12:54:59 +0100 |
The procedure to upload new keys is described here
https://www.gnu.org/prep/maintain/maintain.html
If in doubt contact the GNU administrators.
Best regards
Heinrich Schuchardt
http://www.xypron.de
Am 23.01.17 um 10:25 schrieb Andrew Makhorin
> Hi Heinrich,
>
> > you are using a 1024 bit key for signing GLPK distribution tar balls.
> >
> > 1024 bit is no longer considered safe. Cf.
> > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
> >
> > Furthermore you are using SHA-1 for signing.
> > SHA1 is also regarded as unsafe.
> >
> > Please, create a signing key of at least and cross sign it with your old
> > 1024 bit key. You might use SHA-256 for signing.
> >
>
> Thanks for information. However, I follow the instruction for GNU
> maintainers, which requires a certain procedure to upload the tarballs
> to the main ftp site:
>
> For each upload destined for ftp.gnu.org or alpha.gnu.org,
> three files (a triplet) need to be uploaded via ftp ...
>
> (1) File to distributed (eg. foo.tar.gz)
>
> (2) Detached GPG binary signature for (1) (using gpg -b)
> (eg. foo.tar.gz.sig)
>
> (3) Clearsigned "directive" file (using gpg --clearsign)
> (eg. foo.tar.gz.directive.asc)
>
> I cannot change my gpg keys, because this would invalidate my signature
> recognized at GNU.
>
>
> Best regards,
>
> Andrew Makhorin