GPG: stop using 32-bit key ID #20001
Labels
Bug
Either a bug report, or a bug fix. Let's hope for the latter!
Build/Install
Related to compiling or installing QGIS
Author Name: Patryk Sciborek (Patryk Sciborek)
Original Redmine Issue: 11772
Affected QGIS version: 2.6.0
Redmine category:build/install
Hi!
I'd like to add QGIS Archive Automatic Signing Key (2014) to my keystore. Unfortunately there is no way to tell if key received from keyserver is correct because you use only 32-bit key ID (eg. http://www.qgis.org/en/site/forusers/alldownloads.html#debian).
Since you can generate collision in few seconds (see: https://evil32.com/) it would be much better if you use full key fingerprint or at least provide it somewhere so user can verify it manually.
Kind regards,
Patryk
The text was updated successfully, but these errors were encountered: