https://sha-mbles.github.io/
Simply put, SHA-1 is about as insecure as MD5. GPG 2.2.18 contains a fix for this to ignore SHA-1-based identity signatures for keys created after 19 Jan 2019. I'm not sure if we have a link to documentation for users about proper use of GPG/PGP, though it might be handy to mention minimum key sizes if we do. -- Matt Sicker <boa...@gmail.com>
