[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
15/15: doc: Recommend against SHA1 OpenPGP signatures.
From: |
guix-commits |
Subject: |
15/15: doc: Recommend against SHA1 OpenPGP signatures. |
Date: |
Mon, 4 May 2020 03:59:36 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit 4a84deda7489f668cd833b59daeb504cbd87fa2b
Author: Ludovic Courtès <address@hidden>
AuthorDate: Sat May 2 23:53:25 2020 +0200
doc: Recommend against SHA1 OpenPGP signatures.
* doc/contributing.texi (Commit Access): Recommend against SHA1
signatures.
---
doc/contributing.texi | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 0ec7a48..9583120 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1187,6 +1187,16 @@ the OpenPGP key you will use to sign commits, and giving
its fingerprint
(see below). See @uref{https://emailselfdefense.fsf.org/en/}, for an
introduction to public-key cryptography with GnuPG.
+@c See <https://sha-mbles.github.io/>.
+Set up GnuPG such that it never uses the SHA1 hash algorithm for digital
+signatures, which is known to be unsafe since 2019, for instance by
+adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG
+Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}):
+
+@example
+digest-algo sha512
+@end example
+
@item
Maintainers ultimately decide whether to grant you commit access,
usually following your referrals' recommendation.
- 06/15: openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible., (continued)
- 06/15: openpgp: 'verify-openpgp-signature' looks up by fingerprint when possible., guix-commits, 2020/05/04
- 09/15: git-authenticate: Use (guix openpgp)., guix-commits, 2020/05/04
- 10/15: .guix-authorizations: Augment., guix-commits, 2020/05/04
- 05/15: openpgp: Add 'lookup-key-by-fingerprint'., guix-commits, 2020/05/04
- 07/15: openpgp: 'lookup-key-by-{id, fingerprint}' return the key first., guix-commits, 2020/05/04
- 08/15: openpgp: Add 'string->openpgp-packet'., guix-commits, 2020/05/04
- 13/15: openpgp: Raise error conditions instead of calling 'error'., guix-commits, 2020/05/04
- 11/15: git-authenticate: Load the list of authorized keys from the tree., guix-commits, 2020/05/04
- 12/15: git-authenticate: Load the keyring from the repository., guix-commits, 2020/05/04
- 14/15: doc: Document committer authorization., guix-commits, 2020/05/04
- 15/15: doc: Recommend against SHA1 OpenPGP signatures.,
guix-commits <=