[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-glpk] 1024 bit key used to sign GLPK distribution package
|
From: |
Andrew Makhorin |
|
Subject: |
Re: [Help-glpk] 1024 bit key used to sign GLPK distribution package |
|
Date: |
Mon, 23 Jan 2017 12:25:50 +0300 |
Hi Heinrich,
> you are using a 1024 bit key for signing GLPK distribution tar balls.
>
> 1024 bit is no longer considered safe. Cf.
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
>
> Furthermore you are using SHA-1 for signing.
> SHA1 is also regarded as unsafe.
>
> Please, create a signing key of at least and cross sign it with your old
> 1024 bit key. You might use SHA-256 for signing.
>
Thanks for information. However, I follow the instruction for GNU
maintainers, which requires a certain procedure to upload the tarballs
to the main ftp site:
For each upload destined for ftp.gnu.org or alpha.gnu.org,
three files (a triplet) need to be uploaded via ftp ...
(1) File to distributed (eg. foo.tar.gz)
(2) Detached GPG binary signature for (1) (using gpg -b)
(eg. foo.tar.gz.sig)
(3) Clearsigned "directive" file (using gpg --clearsign)
(eg. foo.tar.gz.directive.asc)
I cannot change my gpg keys, because this would invalidate my signature
recognized at GNU.
Best regards,
Andrew Makhorin