[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Release signing key still uses SHA1

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Mar 2024 03:41:02 +0100
Delivery-date: Tue, 12 Mar 2024 02:41:23 +0000
Feedback-id: i1568416f:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

The key used to sign release tarballs and git tags still uses SHA1 for
its self-signature. Is updated key somewhere already?

SHA1 is starting to be rejected by some tools already, for example
sequoia-sq:

    $ sq inspect xen.pub
    xen.pub: OpenPGP Certificate.
    
        Fingerprint: 23E3222C145F4475FA8060A783FE14C957E82BD9
                     Invalid: No binding signature at time 2024-03-12T02:37:29Z
    Public-key algo: RSA
    Public-key size: 2048 bits
      Creation time: 2010-04-06 13:55:33 UTC
    
             UserID: Xen.org Xen tree code signing (signatures on the xen 
hypervisor and tools) <pgp@xxxxxxx>
                     Invalid: Policy rejected non-revocation signature 
(PositiveCertification) requiring second pre-image resistance
                     because: SHA1 is not considered secure
     Certifications: 7, use --certifications to list


-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

Prev by Date: 4.17.3 download is missing on the website
Next by Date: Re: [PATCH v2 3/5] xen/domctl, tools: Introduce a new domctl to get guest memory map
Previous by thread: 4.17.3 download is missing on the website
Next by thread: [linux-linus test] 184997: tolerable FAIL - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.