Hi, On Fri, 2024-07-26 at 14:08 +0900, Justus Winter wrote: > In the OpenPGP ecosystem, we have seen that people think that if GnuPG > accepts an artifact, then it must be okay to emit such an artifact. As > you can see [0], GnuPG still accepts SHA1-based signatures. And, we > have seen big players [1][2] use SHA-1 in their signing keys. > > 0: https://tests.sequoia-pgp.org/#Signature_over_the_shattered_collision > 1: https://github.com/microsoft/linux-package-repositories/issues/47 > 2: https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c19 > > We considerably improved the situation by rejecting these signatures, > even though that caused a considerable amount of pain in the short term.
Recently on debian-vote@ it was pointed out repeatedly that SHA-1 is still a perfectly secure hash algorithm for many applications (probably just as MD5). If Debian already relies on SHA-1 to be a cryptographic strong hash, there is probably no reason to not accept SHA-1 signatures nor for hashes other than SHA-1 in Packages/Sources indices (or even just MD5 to save space). Currently dak already has code to reject SHA-1 signatures, but maybe we should also remove that given SHA-1-based signatures are trusted by other parts as well. Ansgar
